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Activities  such  as  clinical  investigations  or  financial  processes  are  subject  to  regulations  to  ensure 
quality  of  results  and  avoid  negative  consequences.  Regulations  may  be  imposed  by  multiple 
governmental  agencies  as  well  as  by  institutional  policies  and  protocols.  Due  to  the  complexity  of 
both  regulations  and  activities  there  is  great  potential  for  violation  due  to  human  error, 
misunderstanding,  or  even  intent.  Executable  formal  models  of  regulations,  protocols,  and  activities 
can  form  the  foundation  for  automated  assistants  to  aid  planning,  monitoring,  and  compliance 
checking.  We  propose  a  model  based  on  multiset  rewriting  where  time  is  discrete  and  is  specified  by 
timestamps  attached  to  facts.  Actions,  as  well  as  initial,  goal  and  critical  states  may  be  constrained  by 
means  of  relative  time  constraints.  Moreover,  actions  may  have  non-deterministic  effects,  i.e.,  they 
may  have  different  outcomes  whenever  applied.  We  present  a  formal  semantics  of  our  model  based  on 
focused  proofs  of  linear  logic  with  definitions.  We  also  determine  the  computational  complexity  of 
various  planning  problems.  Plan  compliance  problem,  for  example,  is  the  problem  of  finding  a  plan 
that  leads  from  an  initial  state  to  a  desired  goal  state  without  reaching  any  undesired  critical  state.  We 
consider  all  actions  to  be  balanced,  i.e.,  their  pre  and  post-conditions  have  the  same  number  of  facts. 
Under  this  assumption  on  actions,  we  show  that  the  plan  compliance  problem  is  PSPACE-complete 
when  all  actions  have  only  deterministic  effects  and  is  EXPTIME-complete  when  actions  may  have 
non-deterministic  effects.  Finally,  we  show  that  the  restrictions  on  the  form  of  actions  and  time 
constraints  taken  in  the  specification  of  our  model  are  necessary  for  decidability  of  the  planning 
problems. 
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1.  Introduction 

Regulations  are  commonly  used  to  set  the  rules  of  conduct  of  numerous  activities  in  order  to 
ensure  quality  of  results  and  avoid  negative  consequences.  For  example,  while  carrying  out  a 
clinical  investigation  (Cl) — that  is,  a  set  of  procedures  in  medical  research  and  drug  development, 
to  test  a  new  drug  or  other  intervention  on  human  subjects,  it  is  important  that  conclusive  data  is 
collected  and  that  the  health  of  the  subjects  participating  in  the  Cl  is  not  compromised.  In  order  to 
collect  the  most  conclusive  data,  for  instance,  drug  samples  have  to  be  taken  and  all  the  necessary 
tests  have  to  be  carried  out  in  well  defined  periods  of  time.  Moreover,  since  these  experiments 
might  compromise  the  health  of  subjects,  CIs  are  rigorously  regulated  by  policies  elaborated 
by  governmental  agencies  such  as  the  Food  and  Drug  Administration  (FDA)  (FDA99).  These 
regulations  require  prompt  action  whenever  a  serious  and  unexpected  problem  with  any  subject  is 
reported.  In  the  current  state  of  affairs,  there  is  little  to  almost  no  automation  in  the  management 
of  CIs  and  therefore  the  process  is  prone  to  human  error.  As  described  in  (NBS+12),  there  is 
plenty  of  room  for  the  use  of  automated  assistants  to  help  reduce  human  mistakes  from  happening. 
For  instance,  a  computer  assistant  can  automatically  generate  plans  that  guide  the  clinical  staff 
on  how  a  Cl  has  to  be  carried  out.  An  assistant  can  also  monitor  the  execution  of  a  Cl  and  signal 
alarms  whenever  a  deviation  to  the  specification  is  detected. 

This  paper  proposes  a  rewriting  framework  that  can  be  used  to  specify  collaborative  systems, 
such  as  CIs,  and  can  be  used  as  the  foundation  for  building  automated  assistants.  Our  model  is 
an  extension  of  the  systems  used  for  modeling  collaborative  systems  proposed  in  (KRS1 1)  with 
explicit  time.  An  important  feature  of  our  model  is  that  its  specifications  can  be  directly  written 
and  executed  in  Maude  (CDE+07),  a  powerful  tool  based  on  rewrite  logic  (JM92).  For  more 
details  see  (NBS+12)  where  we  address  implementation. 

A  second  feature  of  our  framework  is  that  its  specifications  can  mention  time  explicitly.  Time  is 
often  a  key  component  used  in  policies  specifying  the  rules  and  the  requirements  of  a  collaboration. 
For  a  correct  collaboration  and  to  achieve  a  common  goal,  participants  should  usually  follow 
strict  deadlines  and  should  have  quick  reactions  to  some  (unexpected)  events.  For  instance,  the 
paragraph  312.32  on  Investigational  New  Drug  Application  (IND)  safety  (FDA99)  includes 
explicit  time  intervals  that  must  be  followed  in  case  of  any  unexpected,  serious  or  life-threatening 
adverse  drug  experience:  (The  emphasis  in  the  text  below  is  ours.) 

“  (c)  IND  safety  reports 

(1 )  Written  reports  — (i)  The  sponsor  shall  notify  FDA  and  all  participating  investigators  in  a  written  IND 
safety  report  of:  (A)  Any  adverse  experience  associated  with  the  use  of  the  drug  that  is  both  serious  and 
unexpected;  [■  ■  ■  ]  Each  notification  shall  be  made  as  soon  as  possible  and  in  no  event  later  than  15  calendar 
days  after  the  sponsor’s  initial  receipt  of  the  information  [■  ■  ■  ] 

(2)  Telephone  and  facsimile  transmission  safety  reports.  The  sponsor  shall  also  notify  FDA  by  telephone 
or  hy  facsimile  transmission  of  any  unexpected  fatal  or  life-threatening  experience  associated  with  the  use  of 
the  drug  as  soon  as  possible  but  in  no  event  later  than  7  calendar  days  after  the  sponsor’s  initial  receipt  of 
the  information.” 

The  above  clauses  explicitly  mention  two  different  time  intervals.  The  first  one  specifies  that  a 
detailed  safety  report  must  be  sent  to  the  FDA  within  15  days  after  a  serious  and  unexpected  event 
is  detected,  while  the  second  specifies  the  obligation  of  notifying  FDA  of  such  an  event  within  7 
days. 
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In  order  to  accommodate  explicit  time,  we  attach  to  facts  a  natural  number  called  a  timestamp. 
Timestamps  can  be  used  in  different  ways  depending  on  the  system  being  modeled.  In  the  example 
above,  the  timestamp  t  of  the  fact  Dose(id)@t  could  denote  that  the  subject  with  anonymous 
identification  number  id  received  a  dose  at  time  t.  Alternatively,  the  timestamp,  t-2,  of  the  fact 
Deadline@t2  could  denote  the  time  of  when  some  activity  should  end.  Moreover,  we  keep  track 
of  time  by  assuming  a  discrete  global  time,  using  the  special  fact  Time@t  that  denotes  that  the 
current  time  is  t.  The  global  time  advances  by  replacing  Time@t  by  Time@(t  +  1). 

Agents  change  the  state  of  the  system  by  performing  actions  which  are  given  as  rewrite  rules. 
In  order  to  specify  the  type  of  time  requirements  illustrated  above,  a  set  of  time  constraints  may 
be  attached  to  actions.  This  set  acts  as  a  guard  of  the  action,  i.e.  the  action  can  only  be  applied  if 
its  time  constraints  are  satisfied.  Formally,  a  time  constraint  is  a  comparison  involving  exactly  two 
timestamps,  e.g.  ,  Tj  <  T2  +  7  (see  Eq.  1). 

Besides  allowing  guards  with  time  constraints,  we  also  allow  actions  to  have  non-deterministic 
effects.  In  particular,  actions  are  allowed  to  have  a  finite  number  of  post-conditions  specifying  a 
finite  number  of  possible  resulting  states.  These  actions  are  useful  when  specifying  systems,  such 
as  CIs,  containing  actions  that  may  lead  to  different  outcomes,  but  it  is  not  certain  beforehand 
which  one  of  the  outcomes  will  actually  occur.  For  instance,  when  carrying  out  a  blood  test  for  the 
presence  of  some  substance,  it  is  not  a  priori  clear  what  the  test  result  will  be.  Nevertheless,  one 
can  classify  any  result  as  either  positive  or  negative.  Depending  on  this  result,  one  would  need  to 
take  a  different  set  of  future  actions.  For  example,  if  the  blood  test  is  positive,  then  one  might  not 
be  suitable  for  participating  as  a  subject  in  a  particular  Cl,  but  may  be  suitable  for  other  CIs.  We 
classify  actions  that  have  more  than  one  outcome  as  branching  actions. 

Finally,  in  collaborative  systems  agents  collaborate  in  order  to  achieve  a  common  goal,  but  they 
should  also  avoid  critical  states  that,  for  example,  violate  policies.  An  example  of  a  goal  state 
for  CIs  would  be  to  collect  conclusive  data  without  compromising  the  health  of  subjects,  while  a 
critical  state  would  be  a  state  that  violates  the  FDA  policies.  In  our  model,  critical,  goal  and  initial 
states  can  also  mention  time  explicitly  by  using  time  constraints. 

This  paper’s  contributions  are  the  following: 

—  Timed  local  state  transition  systems  are  specified  in  order  to  formalize  systems  with  explicit 
time.  This  specification  takes  necessary  restrictions  on  the  type  of  actions  and  time  constraints 
so  that  explicit  time  requirements  are  expressible  in  the  system,  but  at  the  same  time  it  is 
precise  with  respect  to  complexity  results  of  the  associated  planning  problems  so  that  we 
provide  decidability. 

—  We  determine  the  complexity  of  the  plan  compliance  problem  (KRS1 1),  that  is,  the  problem 
of  determining  whether  there  is  a  plan  where  the  collaboration  achieves  the  common  goal  and 
in  the  process  no  critical  state  is  reached.  It  has  been  shown  that  the  plan  compliance  problem 
is  undecidable  in  general  (KRS09).  However,  we  get  decidability  in  the  important  case  when 
all  actions  are  balanced ,  i.e..  pre  and  post-conditions  of  actions  have  the  same  number  of 
facts.  Intuitively,  this  restriction  bounds  the  memory  of  agents,  as  they  can  remember  at  any 
point  only  a  bounded  number  of  facts.  Additionally,  we  assume  that  the  facts  created  by  an 
action,  that  is,  the  new  facts  that  appear  in  its  post-condition,  can  only  have  timestamps  of 
the  form  T  +  d,  where  T  is  the  current  global  time  and  d  a  natural  number.  Under  these  two 
assumptions  on  actions,  we  show  that  (1)  the  plan  compliance  problem  is  PSPACE-complete 
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if  no  branching  actions  are  allowed  and  (2)  is  EXPTIME-complete  if  branching  actions  are 
allowed.  We  also  investigate  the  complexity  of  the  reachability  problem  and  the  timed  system 
compliance  problems. 

—  We  present  a  formal  semantics  of  our  model  based  on  logic,  namely,  on  linear  logic  with 
definitions  (PSH93;  BM07;  DB08).  In  particular,  we  provide  an  encoding  and  prove  that  there 
is  a  one-to-one  correspondence  between  the  plans  and  the  (cut-free)  focused  proofs  (JMA92) 
of  its  encoding. 


Regarding  the  first  contribution  described  above,  even  in  the  case  of  balanced  actions,  we  have 
to  deal  with  the  problem  that  a  plan  can  generate  timestamps  T  of  unbounded  numeric  values.  In 
particular,  the  state  space  is  internally  infinite  since  an  arbitrary  number  of  time  advances  can 
occur  (as  illustrated  at  the  beginning  of  Section  4).  In  our  previous  work  (KBNS10)  we  were  able 
to  solve  a  similar  unboundedness  problem  caused  by  the  presence  of  freshly  created  objects  that 
are  called  nonces  in  protocol  security  literature.  However,  the  solution  proposed  in  (KBNS10) 
is  not  applicable  to  the  problem  of  unboundedness  of  time.  As  a  result,  in  this  paper  we  have 
made  special  precautions  in  our  choice  of  a  novel  equivalence  relation  among  states  based  on 
the  time  differences  of  the  timestamps  of  facts.  This  allows  us  to  cover  all  plans  of  unbounded 
length  caused  by  uncontrolled  time  advances,  with  providing  our  upper  bounds  for  the  timed 
collaborative  systems  (Theorem  4.1).  We  also  show  that  our  new  technique  introduced  in  this 
paper  can  be  combined  with  the  technique  introduced  in  (KBNS10)  to  solve  the  unboundedness 
for  both  time  and  nonces  in  timed  systems.  In  our  experiments,  we  used  this  novel  equivalence 
relation  among  states. 

The  paper  is  organized  as  follows.  Section  2  introduces  the  formal  model  for  timed  collaborative 
systems  called  Timed  Local  State  Transition  Systems  (TESTS')  as  well  as  the  plan  compliance 
problem  described  above.  (In  (NBS+12),  TLSTSes  were  only  mentioned,  but  not  formally 
introduced.)  In  Section  3  we  give  a  formal  semantics  of  our  model  based  on  focused  proofs  of  linear 
logic  with  definitions.  Section  4  introduces  an  equivalence  relation  between  states  of  the  system 
that  allows  us  to  handle  the  unboundedness  of  time  with  a  finite  space.  The  machinery  introduced 
in  this  section  is  used  in  Section  5  to  demonstrate  the  decidability  of  the  plan  compliance  problem. 
Section  5  contains  the  complexity  results  mentioned  above.  Section  6  we  show  that  relaxing  any 
of  the  main  conditions  on  rules  described  above  leads  to  the  undecidability  of  the  reachability 
problem  and  thus  the  undecidability  of  the  other  compliance  problem  described  above.  Finally  in 
Sections  7  and  8  we  discuss  related  and  future  work. 

This  paper  extends  the  conference  paper  (KBN+12)  by  providing  in  Section  3  a  linear  logic 
semantics  to  our  model  based  on  multiset  rewriting  and  time  constraints  and  also  by  providing  full 
details  for  our  complexity  results  for  the  plan  compliance  problem.  In  addition  we  investigate  the 
reachability  problem  and  the  system  compliance  problem,  which  were  not  dealt  in  our  conference 
paper  (KBN+12).  We  also  show  in  Section  6  that  the  restrictions  we  impose  on  the  form  of  actions 
and  time  constraints  in  our  systems  are  necessary  for  obtaining  the  decidability  of  these  problems. 
Relaxing  any  of  those  restrictions  leads  to  undecidability.  These  results  are  also  novel  with  respect 
to  our  previous  work  (KBN+12). 
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2.  Basic  Definitions 

Multiset  rewriting  models  of  collaborative  systems  with  privacy  and  confidentiality  have  been 
introduced  in  (KRS09;  KRS1 1;  KBNS13).  These  models  formalize  the  collaboration  of  a  group 
of  agents  that  work  together  in  order  to  achieve  a  common  goal.  At  the  same  time,  confiden¬ 
tiality  issues  are  addressed,  such  as  private  and  shared  information,  leakage  of  private  data  and 
reachability  of  undesired  states. 

In  this  section  we  review  the  main  concepts  and  formalize  the  timed  extension  of  the  model. 

At  the  lowest  level,  we  have  a  first-order  alphabet  £  that  consists  of  a  set  of  predicate  sym¬ 
bols  Pi,  P2, . . .,  function  symbols  /1,  /2, . . .,  constant  symbols  ci,  C2, . . .,  and  variable  symbols 
Xi,  X2,  ■  ■  ■  all  with  specific  sorts  (or  types).  The  multi-sorted  terms  over  the  alphabet  are  expres¬ 
sions  formed  by  applying  functions  to  arguments  of  the  correct  sort.  Since  terms  may  contain 
variables,  all  variables  must  have  associated  sorts.  A  fact  is  a  ground,  atomic  formula  over  multi- 
sorted  terms.  Facts  have  the  form  P(t\, . . . ,  tn)  where  P  is  an  n- ary  predicate  symbol,  where 
ti, . . . ,  tn  are  terms,  each  with  its  own  sort. 

In  order  to  accommodate  the  dimension  of  time  in  our  model,  we  associate  to  each  fact 
a  timestamp.  Timestamped  facts  are  of  the  form  P(t\, . . .  ,tn)@t,  where  the  number  t  is  the 
timestamp  of  the  fact  P(ti, . . . ,  tn).  Among  the  set  of  predicates,  we  distinguish  the  zero  arity 
predicate  Time,  which  intuitively  denotes  the  current  global  time  of  the  system.  For  instance, 
the  fact  Time @2  denotes  that  the  global  time  is  2.  Here,  we  assume  that  timestamps  are  natural 
numbers.  The  intuitive  meaning  of  a  timestamp  may  depend  on  the  system  one  is  modeling.  For 
instance,  in  our  clinical  investigations  example,  the  timestamp  associated  to  a  fact  could  denote 
the  time  when  a  problem  with  a  subject  has  been  detected. 

The  size  of  a  fact,  P,  denoted  by  |P|,  is  the  total  number  of  symbols  it  contains.  We  count  one 
for  each  occurrence  of  a  constant,  variable,  predicate,  and  function  symbol,  e.g.  ,  \P(f(x))\  =  3, 
and  | P(x,  c,x)\  =  4.  For  our  complexity  results,  we  assume  an  upper  bound  on  the  size  of  facts, 
as  in  (DLMS04;  KRS11;  KBNS10).  This  means  that  for  all  facts,  P{t\, . . .  ,tn)@t,  the  arity  of 
predicate  symbols,  n,  and  the  depth  of  terms,  ti, . . . ,  tn,  are  bounded.  However,  we  make  no 
assumptions  on  the  depth  of  timestamps,  t,  that  is,  the  size  of  timestamps  may  be  unbounded. 

A  state,  or  configuration  of  the  system  is  a  finite  multiset,  . . . ,  Qn@tn,  of  grounded 

timestamped  facts,  i. e. ,  timestamped  facts  not  containing  variables.  Configurations  are  assumed 
to  contain  exactly  one  occurrence  of  the  predicate  Time.  We  use  W,  X  to  denote  the  multiset 
resulting  from  the  multiset  union  of  W  and  X.  For  instance,  the  configuration 

{Time@ 5,  Blood(idi,  scheduled)@7,  Dose(id i)@4,  Status(idi,  normal)@5} 

denotes  that  that  current  time  is  5,  that  the  blood  test  for  subject  identified  by  id  1  should  be  taken 
on  time  7,  that  the  same  subject  took  a  dose  of  the  drug  at  time  4,  and  his  status  is  normal,  i.e.,  no 
problem  has  been  detected. 

For  simplicity  we  often  omit  the  word  “timestamped”  and  just  use  the  wording  fact. 

In  order  to  specify  private  and  shared  information  in  multiset  rewrite  systems,  and  following 
(KRS09;  KRS11),  we  assume  that  the  global  configuration  is  partitioned  into  different  local 
configurations  each  of  which  is  accessible  only  to  one  agent.  There  is  also  a  public  configuration, 
which  is  accessible  to  all  agents.  As  argued  in  (KRS11),  this  separation  allows  one  to  specify 
systems  for  which  it  is  important  to  know  which  facts  are  owned  and  can  be  manipulated  by  an 
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agent  of  the  system.  Formally,  this  separation  of  the  global  configuration  is  done  by  partitioning 
the  set  of  predicate  symbols  in  the  alphabet  and  it  will  be  usually  clear  from  the  context.  The  time 
predicate  Time  is  assumed  to  be  public.  For  instance,  in  the  above  configuration  all  facts,  except 
Time ,  belong  to  the  health  institution  monitoring  the  subject  idi. 

Time  constraints  The  time  requirements  of  a  system  are  specified  by  using  time  constraints. 
Time  constraints  are  arithmetic  comparisons  involving  exactly  two  timestamps: 

Ti  =  T2  ±  d.  Ti  >  T2  ±  d,  or  T1>T2±  d,  (1) 

where  d  is  a  natural  number  and  Tj  and  T2  are  time  variables,  which  may  be  instantiated  by  the 
timestamps  of  any  fact  including  the  global  time. 

A  concrete  motivation  for  time  constraints  to  be  relative  is  that,  as  in  physics,  the  rules  of  a 
collaboration  are  also  not  affected  by  time  shifts.  If  we  shift  the  timestamps  of  all  facts  by  the 
same  value,  the  same  rules  and  conditions  valid  with  respect  to  the  original  state  are  also  valid 
with  respect  to  the  resulting  state.  If  time  constraints  were  not  relative,  however,  then  one  would 
not  be  able  to  establish  this  important  invariant.  Indeed,  as  we  show  in  Section  6,  the  reachability 
problem  is  undecidable  for  systems  with  non-relative  time  constraints. 


2.1.  Branching  Actions  and  Plans 


Branching  Actions  Actions  work  as  multiset  rewrite  rules.  Actions  are  applied  to  configura¬ 
tions  to  produce  new  configurations,  hence  action  application  represents  a  process  of  changes 
of  system  states.  As  in  (KRS1 1;  KBNS10)  we  assume  that  each  agent  has  a  finite  set  of  actions. 
However,  we  extend  actions  in  two  different  ways:  First,  we  add  guards  to  actions ;  and  second  we 
allow  actions  to  have  a  finite  number  of  non-deterministic  effects. 

In  their  most  general  form,  actions  have  the  following  form: 

W  |  T  — paTi.Wi]  ©  •  •  •  ©  (2) 

The  subscript  A  is  the  name  of  the  agent  that  owns  this  action.  W  is  the  pre-condition  of  this  rule, 
while  if'j  . . . . ,  Wn  are  its  post-conditions.  All  facts  in  W,  ITj , . . . ,  Wn  are  public  and/or  belong 
to  the  agent  A.  T  is  the  guard  of  the  action  consisting  of  finitely  many  time  constraints  of  the 
form  shown  in  Equation  1 .  We  assume  that  all  free  variables  are  universally  quantified  at  the  head 
of  the  rule.  The  existentially  quantified  variables  specify  the  creation  of  fresh  values,  also  known 
as  nonces  in  protocol  security  literature.^  By  applying  the  rule  for  a  ground  substitution  (a),  the 
pre-condition  (W a)  to  which  this  substitution  has  been  applied  is  replaced  with  a  post-condition 
(Wj<j)  to  which  the  same  substitution  has  been  applied.  In  this  process,  the  existentially  quantified 
variables  (afj)  appearing  in  the  post-condition  are  replaced  by  fresh  constants. 

Finally,  if  n  >  1,  then  we  classify  the  action  as  branching ,  otherwise,  when  n  =  1,  we  classify 
the  action  as  non- branching. 


t  Fresh  values  are  also  often  used  in  administrative  processes,  such  as  when  a  transaction  number  is  issued.  In  particular, 
the  transaction  number  has  to  be  fresh.  For  a  more  detailed  account  for  fresh  values  in  administrative  processes,  see 
(KBNS13). 
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We  say  that  a  rule  r  of  the  form  shown  in  Equation  2  creates  a  fact  F@T,  if  F@T  does  not 
appear  in  its  pre-condition  W,  but  appears  in  at  least  one  of  its  post-conditions  IT, . 

With  the  exception  of  Section  6,  we  only  consider  in  this  paper  systems  with  actions  of  the 
form  shown  in  Equation  2.  Actions  are  either  the  time  tick  action  or  atomic  actions: 

(Time  Tick  Action )  The  action  formalizing  the  advancement  of  time  is  the  following  action 
belonging  to  the  special  agent  clock: 

Time@T  |  {}  ->clock  Time@(T  +  1).  (3) 

The  above  action  does  not  have  any  constraints,  which  is  specified  by  the  empty  set  {}.  It  is  the 
only  action  of  the  agent  clock  and  is  the  only  action  that  can  change  the  global  time. 

(Atomic  Actions )  The  rest  of  the  actions  are  instantaneous  actions  belonging  to  the  remaining 
agents.  We  impose  the  following  two  conditions  on  actions  depicted  in  Equation  2.  Firstly, 
the  global  time  Time@T  appears  in  the  pre-condition,  W,  and  in  each  of  the  post-conditions 
W\ , . . . ,  Wn  exactly  once.  Secondly,  if  Time@T  is  in  the  pre-condition  IT’,  then  all  facts  created 
by  the  rule  are  of  the  form  P@(T  +  d ),  where  dis  a  natural  number,  possibly  zero.  That  is,  all  the 
facts  created  by  this  action  have  timestamps  greater  or  equal  to  the  global  time.  Notice  that  in  this 
type  of  action  the  timestamp  of  Time  does  not  change,  that  is,  these  actions  are  instantaneous . 
Also  notice  that,  for  example,  the  following  action  is  not  allowed 

Time@T,R@T1,P@T2  |  Ti  <  T  — Time@T,  R@TU  S@Tx. 

This  is  because  the  timestamp  of  the  created  fact  S@Ti  is  not  of  the  form  (T  +  d).  That  is,  actions 
cannot  create  facts  with  arbitrary  timestamps,  instead  they  are  only  allowed  to  create  facts  whose 
timestamps  are  in  the  present  or  in  the  future,  that  is  equal  to  or  greater  than  the  current  time. 

As  we  discuss  in  Sections  4  and  6,  the  two  conditions  on  the  actions  belonging  the  agents 
different  from  the  clock  agent,  discussed  above,  play  an  important  role  for  the  decidability  of  the 
system. 

Definition  2.1.  A  timed  local  state  transition  system  (TESTS)  T  is  a  tuple  (E,  /,  Rjj,  where  E 
is  the  alphabet  of  the  language,  I  is  a  set  of  agents,  such  that  clock  £  /,  and  Rj-  is  a  finite  set  of 
actions  owned  by  the  agents  in  I  of  the  two  forms  described  above. 

An  TESTS  formalizes  a  collaborative  system  in  which  agents  interact  in  order  to  achieve  some 
common  goal.  Initial  configuration  is  the  multiset  of  facts  denoting  the  initial  state  of  the  system, 
while  the  goal  configuration  is  the  multiset  of  facts  denoting  the  final  goal.  However,  since  agents 
do  not  trust  each  other  completely,  they  also  want  to  avoid  some  critical  situations,  i.e.  situations 
that  are  considered  undesired  or  unacceptable.  Therefore,  agents  may  also  have  confidentiality 
policies,  given  as  multisets  of  facts.  Any  configuration  that  conflicts  with  some  confidentiality 
policy  of  any  agent  of  the  system  is  called  critical  configuration. 

Agents  change  the  state  of  the  system  by  performing  actions.  We  will  consider  various  problems 
that  involve  the  transformation  of  the  given  initial  configuration  into  a  goal  configuration,  avoiding 
critical  configurations  in  the  appropriate  way. 

Branching  Plans  A  branching  plan ,  or  simply  plan  is  a  tree  whose  nodes  are  configurations 
and  whose  edges  are  labeled  with  a  pair  consisting  of  an  action  and  a  number,  (a,  i).  As  depicted 
in  Figure  1,  a  plan  is  constructed  by  applying  an  action  to  one  of  its  leaves.  Formally,  consider 
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Wkj,W'  W2o,W'  ...  Wi<T,W'  ...  W„-ia,W'  W„a,W' 


Wo,  w' 


Fig.  1 .  A  branching  plan  obtained  by  applying  an  action  a  of  the  form  shown  in  Equation  2.  Here  a  is 
a  ground  substitution  for  a’s  pre-condition  W,  while  W[o, . . . ,  W'n o  are  ground  instantiations  of  a’s 
post-conditions. 


a  branching  action  a  of  the  form  shown  in  Equation  2.  that  is,  with  pre-condition  W  and  post¬ 
condition  W\  ®  •  •  •  ®  Wn.  We  enumerate  the  post-conditions  as  W\ , ,  Wn.  When  such  an  action 
is  applied  to  a  leaf  of  a  plan  labeled  with  Wi,  the  corresponding  branch  of  the  plan  is  extended  by 
adding  n  leaves.  The  configuration  labeling  the  ith  leaf  is  obtained  by  replacing  a’s  pre-condition. 
Wo,  instantiated  by  a  ground  substitution  o  in  Wj  by  the  corresponding  post-condition  of  a, 
Wio ,  instantiated  by  the  same  substitution  er.  The  edge  connecting  Wj  with  ith  new  leaf  is  labeled 
with  (a,  i).  In  the  process  fresh  values  are  created,  replacing  the  existentially  quantified  variables, 

Xi. 

For  example,  let  {Time® 6,  P(t i)@l,  QfTjWl }  be  a  configuration  appearing  in  a  leaf  of  a 
plan  V .  Then  the  following  branching  action  is  applicable: 

Time@T,  Q(Y)@T i  |  {T  >  Tx  +  1}  — >A  [3x.Time@T,  R{Y ,  x)@T]  ®  [ Time@T ,  S(Y)@T] 

and  it  extends  the  plan  V  creating  the  following  two  leaves  {Time@6,  P(ii)@l,  R(t2 ,  z)@6} 
and  {Time@6,  P(ti)@l,  <S'(t2)@6},  where  2:  is  a  fresh  value. 

If  only  non-branching  actions  are  used,  the  plan  has  a  single  branch,  i.e.  the  plan  is  simply  a 
sequence  of  actions. 

Balanced  Actions  We  classify  an  action  as  balanced  if  its  post-conditions,  Wi,  and  the 
pre-condition,  W,  have  the  same  number  of  facts.  In  Equation  2,  this  means  that  the  number  of 
facts  in  W  and  W,  are  the  same  for  all  1  <  i  <  n.  We  classify  a  TESTS  as  balanced  if  all  its 
actions  are  balanced. 

For  any  plan  P  obtained  from  a  balanced  system,  one  can  easily  prove  that  all  configurations 
in  P  have  the  same  number  of  facts,  namely  the  number  of  facts  in  P’s  initial  configuration. 
Intuitively,  this  means  the  number  of  facts  that  can  be  owned  by  an  agent  in  the  system  is  bounded 
by  the  number  of  facts  in  the  initial  configuration.  In  the  remainder  of  this  paper,  we  use  the  letter 
m  to  denote  this  number.  Moreover,  since  we  assume  facts  to  have  a  bounded  size,  denoted  using 
the  letter  k,  the  use  of  balanced  actions  imposes  roughly  a  bound  on  the  storage  capacity  of  the 
agents  in  the  system.  In  particular,  any  configuration  in  a  plan  obtained  from  a  balanced  system, 
may  have  at  most  mk  symbols.  For  more  about  balanced  systems,  we  point  the  reader  to  (KRS11; 
KBNS13). 

As  we  further  discuss  in  Section  5,  the  assumption  that  all  actions  in  the  systems  are  balanced  is 
crucial  for  showing  that  the  reachability  problem  is  in  PSPACE.  In  fact,  it  was  shown  in  previous 
work  (KRS09)  that  this  problem  is  undecidable  if  we  allow  actions  to  be  un-balanced. 
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2.2.  Planning  Problems 

Goals  of  a  collaboration  as  well  as  the  critical  situations  which  have  to  be  avoided  often  mention 
time  explicitly.  For  instance,  in  the  clinical  investigations  example  discussed  in  the  Introduction, 
the  participants  want  to  collect  conclusive  data  without  violating  regulations.  Moreover,  the 
sponsor  should  send  a  safety  report  to  the  FDA  whenever  a  serious  and  unexpected  problem 
is  detected  within  15  days.  Otherwise,  the  sponsor  can  be  severely  penalized.  We  extend  the 
notion  of  initial,  goal  and  critical  configurations  proposed  in  (KRS1 1)  by  attaching  a  set  of  time 
constraints  to  configurations.  In  particular,  timed  initial,  goal  and  critical  configurations  have  the 
following  form: 

{Q1@T1,Q2@T2,...,Qn@Tn}  |  T 

where  T  is  a  finite  set  of  time  constraints  as  shown  in  Eq.  1  such  that  its  variables  are  in 

T\,T2, . . . ,  Tn. 

For  instance,  in  the  clinical  investigations  example,  a  possible  goal  configuration  is  the  one 
representing  a  situation  when  the  data  of  a  subject  is  collected  in  specified  intervals  for  some 
number  of  times.  The  following  goal  configuration  specifies  that  the  goal  is  to  collect  the  data  of  a 
subject  25  times  in  intervals  of  28  days,  but  with  a  tolerance  of  5  days: 

{ Time@T ,  Data(Id,  l)@Ti, . . . ,  Data(Id,  25 )@T25} 

with  the  time  constraints  T)+23  <  T)+1  <  Ti+33  and  that  T  >  T),  for  1  <  i  <  25.  Formally,  any 
instantiation  of  the  variables  7} , . . . ,  X25  that  satisfies  the  set  of  constraints  above  is  considered  a 
goal  configuration. 

Similarly,  configurations: 

{Detect(Id)@T1,Report(Id,ok)@T2  }\{T2>T1  +  15} 
{Time@T,Detect{Id)@T1,Report{Id,no)@T2}  |  {T  >  Tj  +  15} 

are  critical  for  the  participants  of  a  clinical  investigation,  since  a  problem  was  detected  at  time 
Ti,  but  the  written  report  was  not  sent  to  the  FDA  on  time,  i. e. ,  within  15  days  of  detecting  the 
problem. 

Adding  time  constraints  to  configurations  is  not  a  restriction  of  the  model.  Quite  the  contrary, 
time  constraints  provide  a  general  mechanism  to  specify  in  a  succinct  fashion  the  set  of  goal  and 
critical  configurations  expressing  time  requirements. 

For  simplicity,  we  often  omit  the  word  ’’timed”  in  initial/goal/critical  configurations  regardless 
of  time  constraints  being  attached  or  not. 

As  in  (KBNS13),  we  assume  that  the  goal  and  critical  configurations  are  closed  with  respect  to 
fresh  values.  That  is,  if  a  configuration  C  containing  some  nonces  is  a  goal  (respectively,  critical) 
state,  then  Ccr  is  also  a  goal  (respectively,  critical),  where  a  is  a  renaming  of  nonce  names.  This 
assumption  is  sensible,  as  when  defining  critical  and  goal  configurations,  one  cannot  specify  the 
nonce  names  in  advance,  since  these  are  freshly  generated  during  the  execution  of  the  process 
being  modeled.  The  particular  nonce  name  should  not  matter  for  classifying  a  configuration  as 
critical  or  a  goal  configuration. 

Planning  Problems  In  (KRS11;  KRS09)  three  compliance  problems  were  introduced  in 
the  setting  without  explicit  time  or  branching  (actions  with  non-deterministic  effects).  These 
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variations  of  the  planning  problem  differentiate  in  the  approach  to  confidentiality  issues.  They 
express  different  degrees  of  trust  between  the  agents  of  the  system  and  consequently  consider 
different  demands  on  the  collaboration  process.  Moreover,  different  compliance  problems  are  not 
generally  of  the  same  computational  complexity  (KRS09). 

We  now  restate  two  if  these  problems  in  our  setting  with  explicit  time  and  branching. * 

Given  an  initial  configuration  W /  and  a  finite  set  of  goal  and  critical  configurations,  we  call  a 
branching  plan  V  compliant  if  it  does  not  contain  any  critical  configurations  and  moreover  if  all 
branches  of  V  lead  from  the  initial  configuration  W[  to  a  goal  configuration. 

—  (Timed  plan  compliance  problem)  Given  a  timed  local  state  transition  system  T,  an  initial 
configuration  W  consisting  of  timestamped  facts  and  a  finite,  possibly  empty,  set  of  time 
constraints,  a  timed  goal  configuration  Z,  and  a  finite  set  of  timed  critical  configurations,  is 
there  a  compliant  plan  which  leads  from  W  to  Z1 

—  (Timed  system  compliance  problem)  Given  a  timed  local  state  transition  system  T,  an  initial 
configuration  W  consisting  of  timestamped  facts  and  a  finite,  possibly  empty,  set  of  time 
constraints,  a  timed  goal  configuration  Z ,  and  a  finite  set  of  timed  critical  configurations,  is  no 
timed  critical  configuration  reachable  from  W ,  and  does  there  exist  a  plan  leading  from  W  to 
Z1 

In  (KRS09),  the  plan  compliance  problem  without  explicit  time  was  called  weak  plan  compli¬ 
ance. 

Notice  the  difference  in  the  confidentiality  demands  in  the  above  problems.  System  compliance 
is  a  very  strong  notion,  demanding  that  no  critical  configuration  is  reachable  no  matter  what 
happens.  It  is  most  suitable  for  modelling  very  low  level  of  trust  among  the  agents,  who  can 
confide  in  system  being  well-designed.  Since  the  plan  compliance  only  requires  the  existence  of  a 
plan  that  does  not  contain  a  critical  state,  it  is  suitable  for  systems  with  considerable  trust  among 
the  agents.  In  fact,  agents  must  trust  each  other  to  follow  the  plan,  because  if  they  deviate  from 
the  plan,  then  all  guarantees  of  compliance  are  lost. 

Although  the  above  problems  are  stated  as  decision  problems,  we  prove  more  than  just  existence 
of  a  plan.  Ideally,  we  are  also  able  to  generate  a  plan  when  there  is  a  solution.  Unfortunately,  the 
number  of  actions  in  the  plan  may  be  very  large,  potentially  increasing  the  complexity  of  the 
plan  generation.  For  this  reason  we  follow  (KRS1 1)  and  use  the  notion  of  “scheduling”  a  plan. 
However,  since  we  are  dealing  with  branching  plans,  whereas  (KRS11)  considered  non-branching 
plans,  we  need  to  agree  how  the  nodes  of  a  branching  tree  are  enumerated.  Therefore,  we  assume 
fixed  a  tree  traversal  procedure.  It  can  be  any  traversal  procedure,  for  instance,  depth-first  traversal 
procedures  (pre,  in-order,  or  post-order)  or  a  breadth-first  traversal  procedure.  Assuming  such 
a  tree  traversal  procedure,  a  scheduling  algorithm  takes  an  input  i  representing  the  node  in  the 
agreed  traversal  and  outputs  the  ith  action  of  the  plan,  which  extends  this  node. 

Definition  2.2.  Assume  pre-defined  any  tree  traversal  procedure.  An  algorithm  is  said  to  schedule 

i  The  third  compliance  problem,  introduced  as  the  plan  compliance  problem  in  (KRS09),  was  called  semi-critical  plan 
compliance  problem  in  (KBNS13)  where  it  was  observed  that,  for  systems  without  explicit  time,  this  problem  is 
reducible  to  an  instance  of  the  plan  compliance  problem  with  a  larger  set  of  critical  configurations.  This  set  includes 
the  set  of  semi-critical  configurations  from  which  it  is  possible  to  reach  a  critical  state  of  a  particular  agent  without  the 
participation  of  this  agent.  The  same  reduction  can  be  obtained  for  TLSTSes. 
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a  plan  if  it  ( 1 )  finds  a  plan  if  one  exists,  and  (2)  on  input  i,  if  the  plan  contains  at  least  i  nodes, 
then  it  outputs  the  ith  action  of  the  plan,  otherwise  it  outputs  no. 


3.  Formal  Semantics  using  Linear  Logic  with  Definitions 

Tight  connections  between  linear  logic  and  multiset  rewriting  have  been  established  in  the 
literature  (HM94;  KRS 11).  For  instance,  Kanovich  et  al.  (KRS 1 1)  established  connections  between 
linear  logic  provability  and  the  reachability  problem.  These  results  are  interesting  as  they  provide 
a  logical  foundations  to  multiset  rewriting  using  linear  logic.  Moreover,  results  established  for 
multiset  rewriting  theory  may  also  be  used  to  establish  novel  results  in  linear  logic.  For  example, 
Kanovich  et  al.  (KRS  11)  also  showed  that  the  reachability  problem  of  balanced  systems  is 
PSPACE-complete.  From  this  result  and  the  tight  connection  to  linear  logic,  we  can  establish  that 
the  provability  problem  for  the  fragment  of  balanced  bipoles  (VN12)  is  also  PSPACE-complete. 

This  section  establishes  a  similar  result  for  TLSTSe s  based  on  linear  logic  with  defini¬ 
tions  (PSH93;  DB08),  an  extension  of  linear  logic  with  fixpoint  definitions.  In  particular,  we 
provide  an  encoding  for  TLSTSes  such  that  given  an  initial  configuration  W  and  a  TLSTS ,  then 
there  is  a  one-to-one  correspondence  between  the  set  of  plans  from  IK  to  a  goal  state  Z  and  the 
set  of  (cut-free)  focused  proofs  (JMA92)  of  its  encoding.  This  result  together  with  our  complexity 
results  established  in  Section  5  allows  us  to  infer  complexity  results  for  the  reachability  problem 
for  the  fragment  below  of  linear  logic  with  definitions.  We  believe  that  this  is  the  first  complexity 
results  for  the  provability  problem  of  fragments  of  linear  logic  that  use  definitions. 

Readers  that  are  not  interested  in  Linear  Logic  may  feel  free  to  skip  this  section  and  proceed  to 
Section  4. 


3.1.  Focused  Proof  System  for  Linear  Logic  with  Definitions 

The  focused  proof  system,  LLF,  for  linear  logic  is  depicted  in  Figure  2  and  was  introduced 
by  Andreoli  (JMA92).  Focused  proofs  can  be  regarded  as  the  normal  form  proofs  for  proof 
search.  In  order  to  formally  introduce  LLF,  we  first  classify  the  connectives  1,  ®,  and  3  as 

positive  and  the  remaining  as  negative.  This  distinction  is  natural  as  the  introduction  rules  for  the 
positive  connectives  are  not -necessarily  invertible,  while  the  rules  for  the  negative  connectives  are 
invertible.  The  same  distinction,  however,  does  not  apply  so  naturally  to  literals  and  hence  these 
are  arbitrarily  classified  as  positive  or  negative.  Positive  polarity  literals  and  formulas  whose  main 
connective  is  positive  are  classified  as  positive  formulas  and  the  remaining  as  negative  formulas. 

As  one  can  see  from  an  inspection  of  LLF  in  Figure  2,  there  are  two  different  sequents  in 
LLF:  those  containing  -fT  which  belong  to  the  negative  phase  where  only  negative  formulas  are 
introduced,  and  those  containing  ))  which  belong  to  the  positive  phase  and  only  positive  formulas 
are  introduced.  The  decide  rules  D\ ,  £>2,  reaction  rules  R  -fT,  R  -U-  and  the  bang  introduction  rule  ! 
mark  transition  between  positive  and  negative  phases. 

A  key  property  of  LLF  is  that  it  allows  one  to  construct  macro-rules  that  introduce  synthetic 
connectives.  For  example,  assume  that  the  N3,N2,  N3  are  all  negative  formulas.  Then  from  the 
focusing  discipline,  there  are  only  two  possible  ways  to  introduce  the  sequent  h  0  :  Fi,  F2  1) 
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ho-.r-frL 
h  e  :  r  fr  l,  _l 


W 


Introduction  Rules 

hO-.r  ftL,F,G  b  0,F  :  r  jf  L 

h  e  :  r  fr  l,f  >§>  g  m  b  e  :  r  fr  l,?f  m 


h  e  :  rfri,T  ^ 


h0:rfrL,F  h0:rtL,G 
h0:rfi,F&G 


[&] 


hQ-.Y^L,F[c/x\ 
h  0  :  Tit  L,MxF  1  J 


1-041 


[1] 


b  0  :  T  ft  F  b  0  :  T'  ft  G  h0:|F 

h  0  :  r,r'  ft  F®  G  0  1-04  \F 


b  0  :  TftF 
b  ©  :  T  J )F®G 


b  0  :  r  ftG 

b  ©  :  T  J )F©G 


I-  0  :  r  ft  F[t/x] 
b  0  :  r  H3xF  1  1 


Identity,  Reaction,  and  Decide  rules 


b  0  :  Af  JJ-  Ap 


[h] 


b  0  :  TftP 

b  0 :  r,p-fr 


[Di] 


b  ©,  ^  4  Ap 


[h] 


b©,p:r|p 

b  0,P  :  Fit 


m 


b  0  :  r  ,Si[L 
b  0  :  r  it  L,S 


[R  ft] 


b0:rfjv 

FeTrjN 


Fig.  2.  The  focused  proof  system,  LLF.  for  linear  logic  (JMA92).  Here,  L  is  a  list  of  formulas,  0  is  a 
multiset  of  formulas,  F  is  a  multiset  of  literals  and  positive  formulas,  Ap  is  a  positive  literal,  iV  is  a 
negative  formula,  P  is  not  a  negative  literal,  and  S  is  a  positive  formula  or  a  negated  atom. 


(iVi  ©  N2)  ©  N3: 

b  0  :  Tr  ft  Nj  b  0  :  T2  ft  jV3  b  0  :  14  ft  N2  b  0  :  T2  ft  JV3 

beirr.raJK^!®^)©^  and  b0:r1;r2J ;  (JVr  ©  JV2)  ®  JV3 


Hence,  the  formula  (Ni  ©  N2)  ®  N3,  under  the  focusing  discipline,  specifies  such  macro-rules 
which  are  obtained  by  applying  the  corresponding  positive  and  a  negative  phase  rules. 

One  can  specify  in  a  similar  way  a  multiset  rewrite  rule  r  as  a  linear  logical  formula  F(r) 
in  such  a  way  that  the  macro-rule  obtained  by  focusing  on  F(r)  corresponds  exactly  to  the 
operational  semantics  of  the  rewrite  rule  r  (HM94).  But  in  order  to  specify  in  the  same  way  the 
semantics  of  time  constraints  of  TLSTSe s,  we  need  more  machinery,  namely  definitions  (PSH93; 
DB08).  A  definition  is  a  finite  set  of  clauses  which  are  written  as  \/x[P(x)  =  B\.  here  P  is  a 
predicate  and  every  free  variable  of  B  (the  body  of  the  clause)  is  contained  in  the  list  x.  The 
symbol  =  is  not  a  logical  connective  but  is  used  to  indicate  a  definitional  clause.  We  consider  that 
every  defined  predicate  occurs  at  the  head  of  exactly  one  clause.  Introduction  rules  for  definitions 
are  shown  below,  where  a  definition  can  be  unfolded  on  both  the  positive  phase  and  the  negative 
phase: 


b  0  :  r  D  B8 
b0:f|P(cl 


[defJJ-] 


b  0  :  T  ft  L,  B6 
b  0  :  T  ft  L,  P{c) 


[defft] 


The  proviso  for  both  of  these  rules  is:  \/x[P(x)  =  B]  is  a  definition  clause  and  8  is  the  substitution 
that  maps  the  variables  x  to  the  terms  c,  respectively.  Thus,  in  either  phase  of  focusing,  if  a  defined 
atom  is  encountered,  it  is  simply  replaced  by  its  definition  and  the  proof  search  phase  does  not 
change. 
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We  also  include  the  rules  for  equality  shown  below: 

{(LQ:ritL)6\deCSU(r,s)} 

b  0  :  T  fi  L,  r  ±  s  [^rJ  h  0  :  •  r  =  r  [  rJ 

where  CSU(s,  r)  denotes  the  complete  set  of  unifiers  of  two  terms.  Since  we  are  dealing  with 
first-order  logic  terms,  this  set  either  contains  one  unifier,  the  most  general  unifier,  or  it  is  empty 
when  the  terms  r  and  s  are  not  unifiable.  Notice  that  right  equality  introduction  rule  behaves 
exactly  as  the  rule  [1],  The  proof  theory  of  inference  rules  such  as  these  is  well  studied  (see,  for 
example,  (BM07;  MMOO;  DB08)).Linear  logic  with  definitions  admits  cut -elimination  of  LLF  with 
definitions  (MM00)§  and  the  focusing  discipline  used  above  was  shown  to  be  complete  (DB08). 
This  paper  will  only  need  the  =r  rule. 


3.2.  Encoding  TLSTSes  in  Linear  Logic  with  Definitions 


Encoding  Arithmetic  Conditions  We  show  how  to  express  the  semantics  of  TLSTSes  as 
search  for  cut-free  focused  linear  logic  proof  with  definitions.  In  particular,  we  use  the  following 
definitions  to  specify,  for  example,  the  arithmetic  operations  of  <,<  and  +  that  appear  in 
constraints: 

x  <  y  =  [a;  =  zr\  ® 

[3x'y'.(x  =  s(x'))  <8 )(y  =  s(y'))  ®  ( x '  <  y')\. 

x  <y  =  [3y'.(x  =  zr)  <g>  (y  =  s{y'))}  © 

[3x'y'.{x  =  s(x'))  ®(y  =  s(y'))  ©  (x'  <  y')]. 

Plus(x,y,z )  =  [(x  =  zr  ®  y  =  z)]® 

[3x'z'.((x  =  s(x'))  <g>  (z  =  s(z'))  <8  Plus(x',  y,  z')\. 

where  natural  numbers  are  expressed  by  using  the  successor  function  s  and  the  constant  zr 
denoting  the  natural  number  zero.  For  instance,  the  definition  for  <  contains  two  disjuncts:  the 
left  disjunct  specifies  the  base  case  when  the  value  of  x  is  zero,  and  the  right  disjunct  the  inductive 
case,  where  both  x  and  y  are  the  successors  of  two  numbers  x'  and  yf  such  that  x'  <  y' .  The  other 
arithmetic  operations  can  be  specified  in  a  symmetric  way. 

As  observed  in  (NM09),  the  definitions  above  can  be  used  to  compute  an  arithmetic  operation 
in  a  single  focused  step.  This  is  because  the  body  of  all  the  definitions  above  is  positive.  Therefore, 
once  one  focuses  on  one  of  the  atoms  defined  above,  one  does  not  lose  focus  anymore  and  hence 
a  proof  consists  necessarily  of  a  single  positive  phase.  For  example,  if  we  focus  on  the  atom 


Technically  it  was  shown  that  cut-elimination  works  when  definitions  satisfy  certain  conditions  which  are  out  of  scope 
of  this  paper.  The  definitions  that  we  need  here  fall  under  this  fragment. 
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s(zr)  <  s(s(zr))  one  obtains  the  following  derivation: 

I —  ©  :  •  4J-  s(zr)  =  s(zr)  ^  ^  h  0  :  •  jj  s(s(zr))  =  s(s(zr)) 


h  0  :  •  JJ-  zr  <  s(zr) 


1-0:4  s(zr)  =  s(zr)  (g)  s(s(zr))  =  s(s(zr))  (g)  zr  <  s(zr) 
h  0  :  •  U-  3 x'y's(zr)  =  s(x')  (g )  s(s(zr))  =  s(y')  ®x'<y' 
h  0  :  •  IJ.  [s(zr)  =  zr]  ®  [3x'y's(zr)  =  s(a:')  (g>  s(s(zr))  =  s(y')  g)  x’  <  y'] 


[2  x  <g>] 


I —  ©  :  •  4J-  s(zr)  <  s(s(zr)) 


[defjj.] 


At  the  open  branch,  the  definition  for  the  atom  zr  <  s(zr)  is  necessarily  unfolded  and  the  left 
disjunct  of  its  definition  is  used  to  finish  the  proof.  Notice  that  under  the  focusing  discipline  there 
is  no  other  way  to  introduce  a  sequent  focused  on  the  atom  s(zr)  <  s(s(zr)).  If,  for  example, 
one  attempts  to  prove  the  sequent  by  choosing  instead  the  left  disjunct  of  its  body  definition,  one 
would  fail  since  it  is  not  possible  to  introduce  a  sequent  focused  on  the  equality  s(zr)  =  zr.  For  a 
similar  reason,  to  obtain  a  proof,  one  has  to  instantiate  the  variables  x '  and  if  with  zr  and  s(zr), 
respectively.  Otherwise,  it  is  not  possible  to  introduce  the  resulting  equalities. 


Encoding  of  Timestamped  Facts  and  Constraints  Using  above  definitions,  we  encode  a 
constraint  of  the  form  7j  o  T2  +  d  as  a  logical  formula 

[Plus{T2,  rcT',  T2’)\  <g>  [Ti  o  7%\, 

where  o  g  {>,>,=,<,<}  and  r (P  is  the  term  corresponding  to  the  natural  number  d.  The 
encoding  contains  the  constants  s  and  zr.  For  instance,  the  natural  number  2  is  translated  into  the 
term  s(s(zr)).  Notice  as  well  that  this  formula  has  only  positive  connectives  and  as  illustrated 
above,  once  it  is  focused  on,  focusing  is  never  lost.  Therefore,  we  can  use  them  to  check  in  one 
positive  phase  whether  a  constraint  is  satisfied.  If  C  is  a  constraint  then  we  denote  rCn  as  the 
logical  formula  obtained  from  C. 

To  encode  a  timestamped  fact  with  predicate  name  P  in  linear  logic,  we  use  a  new  predicate 
name  P'  with  arity  increased  by  one.  The  encoding  rP(c)@t~'  is  the  formula  P'(c,  t).  We  extend 
the  definition  of  r  n  for  constraints,  natural  numbers,  and  timestamped  facts  to  multiset  as  usual. 

The  encoding  of  a  configuration  will  be  placed  in  the  linear  context  of  sequents,  namely  in  the 
context  r  of  the  sequents  h  (-)  :  1’  f|\  As  we  show  below,  the  encoding  of  rewrite  rules  will  be 
placed  in  the  classical  context,  that  is,  the  context  0.  This  is  because  rewrite  rules  can  be  used  any 
number  of  times. 


Encoding  of  Actions  To  encode  an  action  of  the  form 

w\r^A  3t1.wl®---®fn.wn 

in  linear  logic,  we  first  need  to  specify  the  timestamps  of  the  form  T  +  d,  appearing  in  the 
post-conditions  WjS.  For  this,  we  construct  two  sets  Wj  and  WJ  from  W'\  for  each  fact  of  the 
form  Qi@(T  +  di )  in  W'  we  add  Qi@Ti  in  Wj ,  where  Tt  is  a  new  variable,  and  the  formula 
Plus(T,  rdP ,  Ti)  to  \  and  for  each  fact  of  the  form  Q,@(T)  in  W'  we  add  the  same  fact  to 
Wj  and  no  formula  in  Wj.  Intuitively,  the  set  Wj  specifies  the  values  for  the  new  time  variables 
used  in  wj  to  be  the  same  as  specified  in  the  original  timestamps  in  W.  One  could  regard  the  set 
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Wj  as  a  set  of  constraints  to  the  new  time  variables  introduced.  For  instance,  the  post-condition 
of  the  following  action. 


TimeMT ,  P(x)@7i,  Q{y)@T2  \  {T2  >  Tx  +  1}  3u.Time@T,  P(u)@(T  +  2),  R{x)@T, 


returns  the  sets  {Tnne@T,  P(u)@(T2),  R(x)@T}  and  {Plus(T,  s(s(zr)),  X^)}. 

Now,  we  are  ready  to  encode  actions  in  linear  logic:  an  action  of  the  form  W  \  T  — 
3t\.W\  ®  •  •  •  ©  tn-Wn  is  encoded  as  the  linear  logic  formula 


F  =  Mx 


j=n 

0rW^n  8)  qA  ®  (g)rrn  ®  0  Wj 

j= i 


j—n 

0  ^3f.  0rff//“l  ®  qA 

3= 1 


where  x  are  the  free  variables  appearing  in  the  rule  together  with  all  the  new  variables  introduced 
by  the  translation  r  n  and  in  the  set  W j.  Also,  the  atomic  formula  qA  is  used  only  to  mark  that 
this  action  belongs  to  agent  A.  Moreover,  the  encoding  of  a  set  of  transition  rules  rRxn  is  the  set 
with  the  encoding  of  all  the  transition  rules  in  R-j-,  and  the  set  of  propositions  used  to  mark  a  rule 
to  an  agent  is  defined  as  Qj  =  {qA  :  A  £  /}.  Intuitively,  the  encodings  of  actions  are  placed  in 
the  unbounded  context  in  the  left-hand-side  of  a  sequent.  However,  since  we  are  using  a  one-sided 
proof  system,  we  use  its  negation  in  the  one-sided  LLF  system  with  definitions: 


F±  =  3x 


j=n  \  j-n 

(g)rW^  ®  qA  ®  (0rTn  ®  0  W?  ®  fy;  ’S’  qi) 

i-i  /  J=1 


Assume  now  that  all  atomic  formulas  have  positive  polarity,  and  consequently  their  negation 
negative  polarity.  The  focused  derivation  introducing  F~  necessarily  has  to  be  of  the  form  below. 
Recall  that  the  encodings  of  rewrite  rules  are  in  the  classical  context  0,  thus  F1-  £  0. 


f  e  :  a  jj.  (gf-w  ®  grr_i  ®  <g)]zr;  wj®qA  h  e :  r  if  &£ 

F  e  :  r,  A  (®r ®qA®  (g)rrn  ®  Wj')  ®  &jzj 

’S’  qi)' 

-  Tn 

F  0  :  T,  A  If  F± 
h  0  :  T,  A  f  •  [°2] 

-  in 

[®] 

x  3] 


Since  ®  is  a  positive  connective,  the  left -premise  is  necessarily  introduced  by  a  completely  positive 
phase  introducing  all  tensors  in  <§Z)rW~'  8  qA  (/,  (x)rTn  0  "  Wj  until  one  only  focuses  on 

atomic  formulas.  There  are  then  two  types  of  atomic  formulas:  the  first  type  are  atoms  that  have 
a  definition,  such  as  Plus ,  and  those  that  do  not  have  a  definition,  such  as  qA.  When  one  of  the 
former  is  focused  on,  the  focusing  discipline  forces  its  definition  to  be  opened,  thus  computing 
the  values  of  the  timestamps  of  the  facts  in  the  post-conditions,  specified  in  Wj.  Moreover,  as 
discussed  above,  these  are  proved  without  using  any  formulas  from  A.  That  is,  the  sequent  below 
is  proved  in  a  single  positive  phase: 

j—n 

l~  0  :  •  JJ-  0)  Wj 

j= i 

The  same  happens  when  checking  whether  the  rule  guard  is  satisfied  or  not.  In  particular,  the 
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following  sequent  should  be  proved  in  a  single  positive  phase 

I-  0  :  •  U-  (g)rr^ 

and  is  provable  if  and  only  if  the  guard  T  is  satisfied. 

The  second  type  of  atoms  are  those  that  do  not  have  definitions  and  appear  in  rW~'  and  the  fact 
qA.  Since  these  are  assumed  to  have  positive  polarity,  the  only  applicable  rule  when  these  are 
focused  on  is  an  initial  rule.  This  forces  A  to  be  exactly  the  negation  of  the  facts  in  rW~'  union 
the  fact  qA.  In  contrast,  for  the  right-premise  of  the  derivation  above,  since  V  and  *8  are  negative 
connectives,  the  right-premise  is  necessarily  introduced  by  a  negative  phase  introducing  these 
connectives.  Hence,  the  macro-rule  introducing  an  encoding  of  the  transition  rule  is  necessarily  of 
the  form,  which  corresponds  to  the  one  in  Figure  1 : 

\- Q  :T1q^,rW{^±a  ■  •••  P  Q  :T1q^,rWln±a  ■ 

b  e  :  r ,q^,rWn±a  ft  • 

Notice  that  if  the  pre-condition  or  the  constraints  in  Y  of  the  action  are  not  satisfied,  then  there  is 
no  focused  proof  which  focuses  on  the  encoding  of  this  transition.  This  handles  the  inductive  case 
of  the  adequacy  result  of  our  encoding  of  TLSTS  in  Linear  Logic  with  Definitions  (Theorem  3.1). 

Encoding  of  Partial  Goal  The  base  case  of  our  adequacy  result  consists  in  checking  if  a 
partial  goal  is  reached.  This  is  specified  in  a  similar  way  as  before.  Let  the  set  of  facts  Z  and  the  set 
of  time  constraints  Y  constitute  a  goal  configuration  G.  To  check  whether  this  goal  configuration 
is  reached,  we  encode  G,  written  rGn  as  follows: 

3f.  (££ )r <g)  rTn  <8 )  T, 

where  x  is  the  set  of  time  variables  appearing  in  the  goal  configuration.  This  formula  is  necessarily 
introduced  by  the  following  focused  derivation: 

h  0  :  A  ft  (g)rZn  L  0  :  •  ft  <g )rTn  h  0  :  TftT  ^ 
h0:T,Aft(gr^®rr®T  [2  X 

b  0  :  T,  A  ft  3x.  <g )rZ^  0  rTn  0  T  "  *  J 
b  0  :  T,A  ft  •  ^ 

As  before,  since  all  atoms  are  assigned  with  positive  polarity,  the  focusing  discipline  forces  that  A 
contains  exactly  the  negation  of  the  facts  appearing  in  rZn,  that  all  constraints  in  Y  are  satisfied, 
and  that  T  contains  the  remaining  facts  in  the  sequent.  That  is,  the  current  configuration  is  a  goal 
configuration. 

Given  the  discussion  above,  we  prove  the  following  connection  between  linear  logic  with 
definitions  and  reachability  using  TLSTS  by  induction  on  the  height  of  derivation  trees  and  on 
the  height/length  of  branching  plans. 

Theorem  3.1.  Let  T  =  (E,  /,  R-y)  be  a  timed  local  transition  system.  Let  W  be  an  initial 
configuration  and  G  be  a  goal  configuration  under  the  signature  E.  Then  the  sequent 

b  :Qf,rIEftrGnft- 
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is  provable  in  linear  logic  with  definitions  where  rXn  is  the  encoding  as  defined  above  iff  there  is 
a  branching  plan  whose  root  is  W  and  whose  leaves  contain  G. 

In  fact,  the  adequacy  we  get  is  stronger  than  what  is  stated  by  the  result  above.  The  adequacy  is 
on  the  level  of  derivations  (NM10).  That  is,  proof  search  in  the  linear  logic  encoding  corresponds 
exactly  to  search  using  the  encoded  TLSTS.  However,  we  must  also  notice  that  our  encoding 
only  deals  with  reachability  and  not  with  the  Planning  Problem  as  we  do  not  check  whether  a 
state  is  critical.  But,  one  can  check  whether  a  critical  state  C  is  reachable  from  an  initial  state  by 
specifying  the  reachability  goal  G  to  be  the  critical  state  C. 


4.  Dealing  with  the  Unboundedness  of  Time 

Comparing  our  timed  collaborative  models  introduced  here  with  the  results  on  the  untimed  collab¬ 
orative  systems  in  our  previous  work  (KBNS13),  we  meet  with  a  number  of  crucial  difficulties. 
In  the  case  of  planning  problems  for  the  untimed  systems  with  balanced  actions,  we  are  dealing 
with  a  finite  (though  huge)  state  space.  Here  the  state  space  is  internally  infinite ,  since  an  arbitrary 
number  of  time  advances  is  allowed  in  principle.  For  a  straightforward  example,  consider  a  plan 
where  time  is  eagerly  advanced.  That  is,  consider  a  plan  with  a  single  branch  where  time  advances 
constantly: 


Time© 0,  W  — >ciock  Time©  1,  W  — >ciock  Time@ 2,  W  — >ciock  ■  ■  ■ 

Since  there  are  no  bounds  on  the  length  nor  depth  of  plans,  the  final  value  of  the  global  time 
cannot  be  bounded  in  advance. 

This  section  describes  how  to  overcome  the  above  problem  by  proposing  an  equivalence  relation 
between  configurations.  The  key  idea  is  that  since  time  constraints  are  relative,  that  is,  they  involve 
the  difference  of  two  timestamps,  we  do  not  need  to  keep  track  of  the  actual  values  of  timestamps, 
in  order  to  determine  whether  our  time  constraints  are  satisfied  or  not. 


Truncated  time  differences  Many  formal  definitions  and  results  in  this  paper  mention  an 
upper  bound  Dmax  on  the  numeric  values  of  a  given  planning  problem.  This  value  is  computed 
from  the  problem  itself:  we  set  D.max  to  be  an  upper  bound  on  the  numbers  appearing  explicitly  in 
a  given  planning  problem.  This  bound  is  essential  in  our  approach  to  handling  the  unboundedeness 
of  time,  and  in  particular,  with  technicalities  related  to  facts  denoting  future,  that  is  facts  with 
timestamps  that  are  greater  than  the  global  time,  which  we  explain  in  detail  later  on  in  this  section. 

In  particular,  instead  of  actual  values  of  timestamps,  we  will  store  the  time  differences  among 
the  facts,  but  truncated  by  that  upper  bound.  Formally,  given  a  planning  problem  with  the  model  T, 
let  Dmax  be  a  natural  number  such  that  Dmax  >  n  +  1  for  any  number  n  appearing  in  time 
constraints  and  actions  in  T,  and  in  the  initial,  goal  and  critical  configurations.  That  is,  Dmax 
is  the  upper  bound  on  any  numeric  value  appearing  either  in  a  constraint  (  T)  o  Tj  ±  n,  for 
o  £  {<,  >,  =<,  >}  ),  in  a  timestamp  of  a  fact  in  some  action  ( e.g .  F@(T  +  n)  ),  or  in  the 
timestamps  of  the  initial  configuration. 

Then  the  truncated  time  difference  of  two  timed  facts  P@Ti  and  Q@T2  with  T)  <  T2,  denoted 
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by  Sp,Q,  is  defined  as  follows: 


^  _  f  T2  -  T-i .  provided  T2  -  Ti  <  Dmax 

\  oo,  otherwise  . 

Intuitively,  we  can  truncate  time  differences  without  sacrificing  soundness  nor  completeness 
because  time  constraints  are  relative  as  defined  in  Eq.  1.  Hence,  if  the  time  difference  of  two 
facts  is  greater  than  the  upper  bound  Dmax ,  then  it  does  not  really  matter  how  much  greater  it 
is,  but  just  that  it  is  greater.  For  instance,  consider  the  time  constraint  t-\  >  t2  +  d  involving 
the  timestamps  of  the  facts  P@ti  and  Q@t2 .  If  <5q,p  =  oo,  this  time  constraint  is  necessarily 
satisfied. 


Equivalence  between  configurations  We  use  the  notion  of  truncated  time  differences  intro¬ 
duced  above  to  formalize  the  following  equivalence  relation  among  configurations. 

Definition  4.1.  Given  a  planning  problem  with  the  TLSTS  T,  let  Dmax  be  an  upper  bound  on 
the  numeric  values  appearing  in  T  and  in  the  initial,  goal  and  critical  configurations.  Let 

5  =  Q1@T1,Q2@T2, ...,  Qm@Tm  and  5  =  Q2@T2, . . . ,  Qm@Tm 

be  two  configurations  written  in  canonical  way  where  the  two  sequences  of  timestamps  Ti, ... ,  Tm 
and  Tj , . . . ,  Tm  are  non-decreasing.  (For  the  case  of  equal  timestamps,  we  sort  the  facts  in 
alphabetical  order,  if  necessary.)  Then  S  and  S  are  equivalent  if  for  any  1  <  i  <  m  either  of  the 
following  holds: 

Ti+i  —  Ti  =  Ti+i  —  Ti  <  Dmax  or  both  T,+1  —  Tt  >  Dmax  and  Ti+i  —  X)  >  Dmax. 

In  order  to  illustrate  the  above  equivalence,  assume  that  Dmax  =  3  and  consider  the  following 
two  configurations: 

{R@ 3,  P@ 4,  Time@ll,  Q@  12, 5@14}  and  {R@ 0,  P@  1,  Time@6,  Q@ 7,  S@9}  . 

According  to  the  above  definition,  these  configurations  are  equivalent  since  their  truncated  time 
differences  are  the  same.  This  can  be  observed  by  checking  their  canonical  representation,  called 
8-representation  defined  below. 

Definition  4.2.  Let  S  =  Qi@Ti,Q2@T2,  . . . ,  Qm@Tm  be  a  configuration  written  in  canonical 
way  where  the  sequence  of  timestamps  Ti, . . .  ,Tm  is  non-decreasing(for  the  case  of  equal 
timestamps,  we  sort  the  facts  in  alphabetical  order,  if  necessary)  and  let  D.max  be  an  upper  bound 
in  a  planning  problem  (as  per  Definition  4.1).  The  8-representation  of  configuration  S ,  denoted 
by  5s,  is  the  tuple 

(Q  i,  &Ql  ,Q2  )  Q2  5  ^ Q2  1Q3  iQst  •  •  ‘  iQil  ^Qi.Qi  +  l  >  Qi  +  1  5  *  *  •  ;  Qm—  1  5  ^Qm  —  l.Qm  5  Q  m)  • 

A  ^-representation  is  constructed  from  a  given  configuration  by  sorting  its  facts  according  to 
their  timestamps  and  sorting  facts  in  alphabetical  order  as  tie-breaker.  Then  we  compute  the  time 
difference  among  two  consequent  facts,  4q,  .q,+1  •  For  instance,  both  configurations  given  above 
have  the  following  (5-representation: 


(R,  1,  P ,  oo,  Time,  1,  Q,  2,  S) . 
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Here  a  value  appearing  between  two  facts,  Qi  and  Q,+  \ ,  is  the  truncated  time  difference  of  the 
corresponding  facts,  <5q,(  iqi+1  ,  e.g.  ,  < 5r,p  =  1  and  dp,  Time  =  oo.  It  is  also  easy  to  see  that  from  the 
tuple  above,  one  can  compute  the  remaining  truncated  time  differences.  For  instance,  d-rime.s  =  3, 
since  1  +  2  =  3,  while  5r,q  =  oo,  since  1  +  oo  +  1  =  oo. 

We  now  formalize  the  intuition  described  above  that  using  time  differences  that  are  truncated  by 
an  upper  bound  instead  of  actual  timestamps,  we  are  able  to  determine  whether  a  time  constraint 
is  satisfied  or  not. 

Lemma  4.1.  Let  S  and  S  be  two  equivalent  configurations  from  Definition  4.1. 

5  =  Qi@Ti,  Q2@T2, ...,  Qn@Tn  and  5  =  Q1@T1,Q2@T2, ...,  Qn@Tn. 

Then  the  following  holds  for  all  i  and  j  such  that  i  >  j,  and  for  all  a  <  D.max\ 

Ti  —Tj=a  if  and  only  if  T,;  —  Tj  =  a 

T,  —Tj<a  if  and  only  if  Tj  —  Tj  <  a 

Ti  —  Tj>a  if  and  only  if  Tj  —  Tj  >  a 

Proof.  The  only  interesting  case  is  the  last  one,  which  can  be  proved  by  using  the  fact  that 
a  <  Dmax  and  that  S  and  S  are  equivalent.  Hence,  Ti  —  Tj  >  Dmax  >  a  is  true  if  and  only  if 
Tj  —  Tj  >  Dmax  >  a  is  true,  and  Dmax  >Ti  —  Tj  >  a  is  true  if  and  only  if  Dmax  >  Ti  —  Tj  >  a, 
since  Tj  —  Tj  =  Tj  —  Tj.  □ 

Following  Lemma  4.1,  we  say  that  a  S- representation  A  satisfies  a  constraint  if  a  configuration 
W,  such  that  Sw  =  A,  satisfies  that  constraint. 

Handling  time  advances  and  action  applications  Our  next  task  is  to  show  that  our  equiva¬ 
lence  relation  using  truncated  time  differences  is  well-defined  with  respect  to  actions.  That  is,  we 
show  that  actions  preserve  the  equivalence  among  configurations.  This  will  allow  us  to  represent 
plans  using  ^'-representations  only. 

We  extend  action  application  to  ^representations.  It  follows  from  the  Lemma  4.1  that  the  same 
action  is  applicable  in  configurations  with  the  same  ^-representation.  We,  therefore,  say  that  an 
action  is  applicable  in  a  8-representation  A  if  the  same  action  is  applicable  in  a  configuration  W, 
such  that  Sw  =  A.  That  is,  any  action  a  that  is  applicable  in  some  configuration  S  is  applicable  in 
its  ^-representation  8s.  and  the  resulting  ^-representation,  8's,  is  the  ^-representation  of  S',  where 
S  t a  S': 

8s  — >a  5s' 

l  l  (4) 

S  — >a  S' 

This  is  well  defined  if  it  is  independent  of  the  choice  of  configurations.  Recall  that  there  are  two 
types  of  actions,  namely  time  advances  and  instantaneous  actions  that  belong  to  agents.  Time 
advances  only  change  the  timestamp  denoting  the  global  time  while  the  rest  of  the  configuration 
remains  unchanged.  Therefore,  when  we  advance  time  in  a  ^-representation,  the  position  of  Time 
and  the  truncated  time  differences  involving  Time  need  to  be  updated.  Depending  on  concrete 
values  of  time  differences,  the  fact  Time  may  move  to  the  right. 

For  example,  for  Dmax  =  5  and  the  configuration  P@  1,  Time@3i  Q@ 5,  £@7}  with 
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the  time  advance  action  Time@T  — >ciock  Time@(T  +  1)  we  get 

{R@0,  P@  1,  Timem,  Q@ 5,  S@7}  — >clock  {f?@0,  P@  1,  Time® 4,  Q@ 5,  ^@7} 

i.e.  ( R ,  1,  P,  2,  Time,  2,  Q,  2,  S)  — >ciock  {R,  1,  P,  3,  Time,  1,  Q,  2,  5)  . 

With  another  application  of  time  tick  action  we  then  get: 

(R,  1,  P,  3,  Time,  1,  Q,  2,  S)  — >ciock  (R,  1,  P,  oo,  Q,  0,  Time,  2,  5)  . 

Generally,  the  time  advance  action  Time@T  — >ciock  Time@(T  +  1)  applied  to 

A  —  ( Qi ,  (5i, . . . ,  Qi— i ,  (5^—1,  Time,  <5* ,  ,  ^-j-i ,  •  •  • , ,  dm—  t ^  Qm) 

results  in  the  following  ^-representation  A',  alphabetically  sorted  whenever  truncated  time  differ¬ 
ences  are  equal  to  0: 

{Q 1 ,  ^1 ;  •  •  •  i  Qi—  1 1  [^i—  1  "F  1]  t  Time,  5i  1,  Qi-\- 1 ,  ,  •  •  •  5  $m—  h  Qm)  i  if  Sj  +  1 

(Qi  i  ^t )  •  •  * ;  Qi—  1 1  ^i—h  Qi- t-i  :••••,  Qi-\-i  5  T  1] ,  Time,  Si+i  1  ,  .  .  .  ,  Sjn—i ,  Qm) , 

if  &i  —  &i-\-i— i  —  0,  i>  0 

where  [d]  denotes  d,  for  d  <  Dmax,  and  denotes  oo  otherwise. 

In  case  A  =  (Qi,<5i, . . .  ,5m-\,Time),  then  A  =  (<2i,5i, . . . ,  [<5m_i  +  l],Ti?ne) . 

For  the  application  of  instantaneous  actions  recall  that  the  fact  Time@T  remains  unchanged, 
while  some  facts  from  the  pre-condition  of  the  action  are  replaced  with  other  facts  whose  times¬ 
tamps  are  of  the  form  T  +  d.  We  modify  the  i5 -representation  in  the  following  way.  We  first  remove 
the  facts  that  appear  in  the  pre-condition  of  the  action  and  not  in  its  post-condition.  Then  we  insert 
the  new  facts  from  the  post-condition,  positioning  them  on  the  basis  of  their  time  difference  to  the 
fact  Time ,  and  alphabetically  if  necessary.  Finally,  we  fill  in  the  new  time  differences.  This  is 
best  explained  on  an  example.  Consider  the  following  ^-representation 

A  =  (B(d),  0,  P(c),  1,  G{a,  b ),  3,  Time,  1,  F{a),  2,  F(d)) 

with  Dmax  =  3  and  the  action 

Time@T,G(x,y)@T1,F(x)@T2  -A  3z.Time@T,G(y,  z)@(T  +  1),  F{y)@T 

which  is  applicable  to  A  with  the  substitution  <r(x)  =  a,  a(y)  =  b.  We  remove  those  facts  from 
the  pre-condition  that  do  not  appear  in  the  post-condition,  namely  G(a ,  b)  and  F(a),  and  get  an 
expression 

B{d),  0,  F(c),  1,  3,  Time,  1,  _ ,  2,  F(d) . 

Next  we  insert  the  facts  that  appear  in  the  post-condition  and  not  in  the  pre-condition.  In  our  case 
above  that  is  the  fact  G(b,  n),  where  n  is  a  fresh  value.  The  placement  of  these  facts  is  determined 
by  the  timestamps  appearing  in  the  action,  which  are  of  the  form  T  +  d,  where  T  is  the  global 
time.  In  our  example  the  fact  G(b,  n)  comes  with  the  timestamp  (T  +  1)  and  we  get: 

(B(d),  0,  F(c),  oo,Time,  1,  G{b,  n),  2,  F(d)) . 

after  updating  the  truncated  time  differences.  Notice  that,  for  example,  the  relative  time  difference 
between  facts  F(d)  and  Time  is  still  3. 

However,  in  order  to  prove  that  actions  preserve  the  equivalence  among  configurations,  we  need 
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yet  another  assumption  to  be  able  to  faithfully  handle  time  advances.  The  problem  lies  within  the 
future  facts,  that  is,  the  facts  with  timestamps  greater  than  the  global  time.  If  there  is  a  future  fact 
P  such  that  (Jxime.p  =  oo,  then  it  is  not  the  case  that  equivalence  is  preserved  when  we  advance 
time.  For  example,  consider  the  following  two  configurations  equivalent  with  the  upper  bound 

Dmax  —  3. 

5-|  =  {  Time@0,  P@ 5}  and  52  =  { Tirne@0,  P@4}. 

If  we  advance  time  on  both  configurations,  then  the  resulting  configurations,  <Sj  and  Sf  are  not 
equivalent.  In  particular,  the  truncated  time  difference  ^xime.p  is  still  oo  in  <Sq,  while  it  changes  to 
3  in  Sf  Notice  that  the  same  problem  does  not  occur  neither  with  present  nor  past  facts,  i.e.,  the 
facts  with  timestamps  that  are  smaller  or  equal  to  the  global  time. 

Definition  4.3.  Given  an  upper  bound  Dmax  in  a  planning  problem  (as  per  Definition  4.1), 
a  configuration  S  is  called  future  bounded  if  for  any  future  fact  P  in  S,  the  time  difference 

hliinc.  P  5  Dmax. 

Recall  from  Section  2  that  there  are  two  types  of  actions,  namely,  the  action  that  advances 
time  and  instantaneous  actions  belonging  to  agents.  Moreover,  recall  that  the  latter  actions  are 
restricted  in  such  a  way  that  all  created  facts  have  timestamps  of  the  form  T  +  d,  where  T  is  the 
global  time.  This  restriction  allows  us  to  show  that  actions  preserve  the  future  boundedness  of 
configurations  as  states  the  following  result. 

Lemma  4.2.  Let  T  be  a  TLSTS,  Dmax  be  the  upper  bound  in  a  planning  problem  (as  per 
Definition  4.1),  and  S  be  a  future  bounded  configuration.  Let  S'  be  the  configuration  obtained 
from  S  by  applying  an  arbitrary  action  in  T.  Then  S'  is  also  future  bounded. 

Proof.  Let  S  -A  S',  and  assume  S'  is  not  future  bounded.  Then  there  is  a  fact  Q'@T'  in  S' 
such  that  T'  —  T  >  Dmax,  where  T  is  the  timestamp  of  Time,  i.e.  the  global  time  in  both  S  and 
S'.  Since  S  is  future  bounded,  the  fact  Q’@T'  does  not  appear  in  S,  but  is  created  by  the  action  a. 
Hence,  T'  =  T  +  D  for  some  number  D  <  Dmax,  which  contradicts  with  T'  —  T  >  D.max.  □ 

As  per  Definition  4. 1  the  initial  configuration  in  a  planning  problem  is  future  bounded,  which 
as  per  above  lemma  implies  that  all  configurations  in  a  plan  are  also  future  bounded.  Notice  that 
even  if  we  relax  the  assumption  that  the  initial  configuration  is  future  bounded,  we  can  make  it 
future  bounded  by  setting  the  value  of  Dmax  to  be  the  greater  than  all  the  timestamps  in  the  initial 
configuration,  i.e.,  Dmax  would  still  be  the  upper  bound  on  the  values  of  the  given  TLSTS  and  in 
the  initial,  goal,  and  critical  configurations.  The  important  result,  given  by  the  above  lemma,  is 
that  future  boundedness  is  preserved  with  action  application. 

Following  Lemma  4. 1  and  Lemma  4.2,  given  a  planning  problem,  we  say  that  a  ^-representation 
is  an  initial  / goal  /  critical /future  bounded  5-representation  if  it  is  the  5-representation  of  an 
initial  /  goal  /  critical  /  future  bounded  configuration.  A  plan  over  5-representations  is  compliant 
for  a  given  planning  problem  if  it  does  not  contain  any  critical  5-representations  and  if  all  of  its 
branches  lead  from  the  initial  5-representation  to  a  goal  5-representation. 

We  are  now  ready  to  show  the  main  result  of  this  section. 

Theorem  4.1.  For  any  given  planning  problem  the  equivalence  relation  between  configurations 
given  by  Definition  4.1  is  well-defined  with  respect  to  the  actions  of  the  system  (including 
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time  advances)  and  goal  and  critical  configurations.  Any  plan  starting  from  the  given  initial 
configuration  can  be  conceived  as  a  plan  over  ^-representations. 

Proof.  We  first  prove  that  the  equivalence  among  configurations  is  well  defined  with  respect  to 
application  of  actions,  i.e.  that  action  application  on  ^'-representations  is  unambiguous.  It  must  be 
independent  of  the  choice  of  configurations  in  (4).  Consider  the  diagram  below,  where  and  S2 
are  two  equivalent  configurations.  Assume  that  <Si  is  transformed  to  <S(  by  means  of  an  action  a. 
By  Lemma  4. 1  the  configuration  S2  also  complies  with  the  time  constraints  required  in  a ,  and 
hence  the  action  a  is  applicable  to  S2  and  will  transform  S2  into  some  S2.  It  remains  to  show  that 
<S|  is  equivalent  to  S2. 

51  ~^a  iS-J 
l 

52  ~^a  S2 

We  consider  our  two  types  of  actions,  namely,  time  advances  and  instantaneous  actions  (see 
Section  2).  Let  the  time  advance  transform  into  5]/,  and  S2  to  S'2.  Since  only  the  timestamp  T 
denoting  the  global  time  in  Time@T  is  increased  by  1,  and  the  rest  of  the  configuration  remains 
unchanged,  only  truncated  time  differences  involving  Time  change  in  the  resulting  configurations. 
Because  of  the  equivalence  S\  ~  S2  ,  for  a  fact  P@T f  in  6)  with  7 ’/ ’  <  T,  Time@T  and 
5 p  Time  =  U  we  have  P@T. '2  with  T2  <  T,  Time@T  and  Sp^Time  =  t  in  S2  as  well.  Therefore, 
we  have  5 p  rime  =  [t  +  1]  both  in  <S(  and  S2.  On  the  other  hand  for  any  future  fact  Q@T Q  with 
8 Time.Q  =  t  in  Si  and  in  S2.  we  get  8rime,Q  =  t  —  1  in  both  <S{  and  S2.  Therefore,  Sf  and  S'2 
are  equivalent.  From  Lemma  4.2,  we  have  that  both  S\  and  S'2  are  future  bounded. 

For  the  second  type  of  actions,  namely  the  instantaneous  actions  belonging  to  agents,  the 
reasoning  is  similar.  Each  created  fact  in  the  configuration  S[  and  S'2  will  be  of  the  form  P@(T1  + 
d)  and  P@(T2  +  d) ,  where  T 1  and  T 2  represent  global  time  in  <Si  and  S2,  respectively.  Therefore 
each  created  fact  has  the  same  difference  d  to  the  global  time  in  the  corresponding  configuration. 
This  implies  that  the  created  facts  have  the  same  truncated  time  differences  to  the  remaining  facts. 
Hence  Si  and  S2  are  equivalent.  Therefore,  action  application  on  (^-representations  shown  in  (4) 
is  well  defined. 

Finally,  as  per  Lemma  4.1,  Si  is  a  goal  (respectively,  critical)  configuration  if  and  only  if  S2  is 
a  goal  (respectively,  critical)  configuration. 

By  induction  on  the  length  of  the  plan,  it  immediately  follows  that,  given  a  planning  prob¬ 
lem,  any  compliant  plan  over  configurations  can  be  represented  by  a  compliant  plan  over  15- 
representations.  That  is,  the  abstraction  of  configurations  to  ^'-representations  is  complete. 

It  remains  to  show  that  the  abstraction  is  also  sound,  namely  that,  from  a  compliant  plan 
over  d'-representations  for  a  given  planning  problem,  we  can  extract  a  concrete  plan  over  config¬ 
urations  and  that  such  a  plan  is  compliant  with  respect  to  that  planning  problem.  Any  given 
(5-representation  corresponds  to  an  infinite  number  of  configurations.  For  example,  for  the 
(5-representation  (Q 1,  Si,Q2,  •  •  ■ ,  Qm~i,  <5m_i,  Qm),  one  of  the  corresponding  configurations  is 

{Qi@0,  Q2@<5i,  Q3@(^i  +  ^2)1  •  •  •  j  Qm@(<5i  +  •  •  •  +  (5m_l)} 

where  8j  =  8,  if  8t  <  Dmax,  and  8,  =  Dmax  +  1  if  Si  =  00.  We  are,  however,  already  given  the 
initial  configuration  IT'o  in  the  planning  problem,  for  which  we  have  A0  =  5w0  ■ 
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We  prove  the  existence  of  a  plan  over  configurations  by  induction  on  the  length  of  the  plan 
over  ^-representations.  Let  Ao  — V,  Ai  — >a2  ■  ■  ■  -^a„  A „  be  a  plan  over  ^-representations, 
compliant  with  the  respect  to  the  given  planning  problem.  Then  Ao  is  the  ^-representation  of 
the  initial  configuration,  i.e.  Ao  =  5\v0 .  For  each  A,_  |  — >Qi  A j,  as  per  Lemma  4.1,  since 
Aj_i  =  $Wi- 1,  the  same  action  a,;  is  applicable  to  the  configuration  FF,_i,  resulting  in  Wi.  As 
proven  above,  and  shown  in  (4),  it  follows  that  At  =  Swt  : 


'Vo 

V_i 

V 

V„ 

II 

II 

II 

II 

V  — >-ai  • 

) 

•  •  “ ^Oi_i  Aj_!  — >ai 

A,:  — >ai+i  • 

) 

’  ’  — : >an  An 

) 

( 

Wo  — >ai  ■ 

( 

•  •  “ ^Oi_i  Wi- 1  — >a.i 

( 

Wi  — >ai+1  • 

( 

’  ’  — : >an  Wn 

Hence,  we  get  a  plan  over  configurations  consisting  of  same  sequence  of  actions  as  the  given  plan 
over  (5 -representations.  Since  none  of  the  (^-representations  A,;  =  Swt  is  critical,  it  is  also  the  case 
that  none  of  the  configurations  Wi  is  critical.  Also,  since  An  =  Swn  is  the  goal  ^-representation, 
it  follows  that  Wn  is  a  goal  configuration.  Hence  the  plan  Wq  — »ai  Mb  —>■•••  — Wn  is 
compliant  with  respect  to  the  given  planning  problem.  □ 

The  above  theorem  establishes  that  using  ^-representations  for  writing  plans  is  well  defined, 
but  it  does  not  establish  a  bound  on  the  number  of  ^-representations.  To  achieve  this,  we  need 
the  further  assumption  that  all  actions  are  balanced.  Recall  that  balanced  actions  are  actions  that 
have  the  same  number  of  facts  in  their  pre-  and  post-conditions.  By  using  balanced  actions,  the 
number  of  facts  in  any  configuration  of  a  plan  is  the  same  as  the  number  of  facts  in  the  plan’s 
initial  configuration.  Hence,  as  we  describe  in  Section  5,  we  can  establish  that  there  is  a  finite 
number  of  ^-representations. 


5.  Complexity  Results 

This  section  enters  into  the  details  of  the  complexity  of  the  planning  problems  for  TLSTSe s. 
These  problems  were  introduced  in  (KRS11;  KRS09)  in  the  setting  without  explicit  time  or 
branching.  At  the  end  of  Section  2  we  have  restated  these  problems  in  our  setting  with  explicit 
time  and  branching.  As  already  mentioned,  different  compliance  problems  are  not  always  of 
the  same  computational  complexity.  For  example,  in  the  case  of  systems  with  non  necessarily 
balanced  actions  and  with  no  fresh  values,  system  compliance  is  EXPSPACE-complete  (KRS09), 
while  the  plan  compliance  problem  is  undecidable  (KRS09).  The  system  compliance  problem 
becomes  undecidable  if  the  creation  of  fresh  values  is  allowed  in  systems  with  possibly  unbalanced 
actions  (KBNS13).  On  the  other  hand,  in  balanced  systems,  even  when  fresh  values  are  allowed 
both  problems  are  PSPACE-complete  (see  Table  1).  It  is  not  a  priori  clear  whether  these  problems 
are  of  the  same  complexity,  nor  what  the  complexity  of  each  of  the  problems  is,  for  the  case  of 
timed  systems  as  well  as  for  branching.  We  investigate  the  complexity  of  these  variations  of  the 
planning  problem  next.  Our  complexity  results  for  TLSTSe s  are  summarized  in  Table  1 . 

Recall  that  facts  are  timestamped  and  that  there  is  a  finite,  possibly  empty  set  of  time  constraints 
attached  to  a  timed  initial,  goal  and  critical  configuration.  Recall  as  well  that  for  a  given  initial 
configuration  W  and  a  finite  set  of  goal  and  critical  configurations,  we  consider  a  branching  plan 
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Table  1.  Summary  of  the  complexity  results  for  the  planning  problems  for  balanced  systems. 
We  mark  the  new  results  appearing  here  with  a  *. 


Planning 

LSTSes  (No  time,  no  branching) 

TLSTSes  (Possible  nonces) 

Problems 

No  fresh  values 

Possible  nonces 

No  branching 

Possible  branching 

(Weak)  Plan 

PSPACE- 

PSPACE- 

PSPACE- 

EXPTIME- 

complete  (KRS 1 1 ) 

complete(KBNSlO) 

complete* 

complete* 

System 

PSPACE- 

PSPACE- 

PSPACE- 

EXPTIME- 

complete  (KRS  1 1 ) 

complete(KBNSlO) 

complete* 

complete* 

V  compliant  if  it  does  not  contain  any  critical  configuration,  and  moreover  if  all  branches  of  V 
lead  from  configuration  W  to  some  goal  configuration. 

Throughout  this  section,  we  assume  that  all  actions  are  balanced,  i.  e. ,  actions  have  the  same 
number  of  facts  in  their  pre  and  post-conditions,  and  that  the  size  of  facts  is  bounded. 


5.1.  Planning  Problems  for  TLSTSes  with  Non-Branching  Actions  only 

We  first  investigate  the  complexity  of  planning  problems  for  TLSTSes  when  actions  are  non¬ 
branching  and  balanced  and  when  the  size  of  facts  is  bounded.  We  show  that  these  problems  are 
PSPACE-complete  with  respect  to  the  parameters  from  the  given  planning  problem. 

PSPACE-liardness:  It  was  shown  in  (KRS11;  KBNS10)  that  one  can  faithfully  encode  a  Turing 
machine  with  a  fixed  size  tape  using  systems  with  balanced  actions.  In  short,  a  configuration  of  a 
Turing  machine  is  represented  by  a  TLSTS  configuration  and  to  each  instruction  of  a  machine 
corresponds  a  sequence  of  balanced  rewrite  rules.  The  same  idea  works  in  our  setting  with  time. 
It  is  easy  to  modify  the  encoding  in  (KRS1 1).  Timestamps  do  not  play  any  important  role  in 
such  encoding.  Also,  critical  configurations  are  not  necessarily  used  in  the  encoding,  so  we 
can  conclude  that  all  three  planning  problems  and  the  reachability  problem  for  TLSTSes  with 
non-branching  balanced  actions  and  facts  of  bounded  size  are  PSPACE-hard. 

PSPACE  upper  bound:  It  is  more  interesting  to  show  that  the  planning  problems  are  in  PSPACE 
when  the  size  of  facts  is  bounded  and  actions  are  non-branching  and  balanced.  In  particular,  we 
will  now  use  all  the  machinery  introduced  in  Section  4  by  using  ^-representations  of  configurations 
to  search  for  compliant  plans. 

In  order  to  determine  the  existence  of  a  compliant  plan,  it  is  enough  to  consider  plans  that  never 
reach  configurations  with  the  same  ^-configuration  twice.  If  a  plan  reaches  a  configuration  whose 
^-representation  is  the  same  as  a  previously  reached  configuration,  there  is  a  cycle  of  actions 
which  could  have  been  avoided.  The  following  lemma  imposes  an  upper  bound  on  the  number  of 
different  ^-representations  in  a  plan,  given  an  initial  finite  alphabet.  Such  an  upper  bound  provides 
us  with  the  maximal  length  of  a  plan  one  needs  to  consider. 

Lemma  5.1.  Given  a  TLSTS  T  under  a  finite  alphabet  E,  an  upper  bound  on  the  size  of  facts,  k, 
and  an  upper  bound,  Dmax,  on  the  numeric  values  appearing  in  the  planning  problem,  namely,  in 
T  and  in  the  initial,  goal  and  critical  configurations,  then  the  number  of  different  ^-representations. 
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denoted  by  Lt(to,  k,  Dmax),  with  m  facts  (counting  repetitions)  is  such  that 

LT(m,  k,  Dmax)  <  ( Dmax  +  2 )(™-D  j™(D  +  2 rnk)mk, 

where  J  and  D  are,  respectively,  the  number  of  predicate  symbols  and  the  number  of  constant 
and  function  symbols  in  the  initial  alphabet  E. 

Proof.  Let  (Qu  Squq2,  Q2,  ■  ■  ■ ,  Qm-i,  Qm)  be  a  ^-representation  with  to  facts. 

There  are  in  slots  for  predicate  names  and  at  most  mk  slots  for  constants  and  function  symbols. 
Constants  can  be  either  constants  in  the  initial  alphabet  E  or  names  for  fresh  values  (nonces). 
Following  (KBNSIO),  we  need  to  consider  only  2 mk  names  for  fresh  values  (nonces).  Finally, 
only  time  differences  up  to  Dmax  have  to  be  considered  together  with  the  symbol  oo  and  there 
are  m  —  1  slots  for  time  differences  in  a  ^-representation.  □ 

Intuitively,  our  upper  bound  algorithm  keeps  track  of  the  length  of  the  plan  it  is  constructing 
and  if  the  length  of  such  a  plan  exceeds  Lt  (to,  k,  Dmax),  then  the  same  ^-representation  has  been 
reached  twice.  This  is  possible  in  PSPACE  since  the  number  of  different  (5-representations  given 
above,  when  stored  in  binary,  occupies  only  polynomial  space  with  respect  to  its  parameters. 

For  the  below  results,  we  assume  that,  given  a  TLSTS  T,  and  a  finite  set  of  goal  and  critical 
configurations,  it  is  possible  to  check  in  polynomial  space  whether  a  configuration  is  critical, 
whether  it  is  a  goal  configuration,  and  whether  an  action  is  valid,  i.e.  whether  it  is  an  instance  of 
an  action  from  T  that  is  applicable  in  a  given  configuration. 

Theorem  5.1.  Let  T  be  a  TLSTS  with  balanced  non-branching  actions.  Then  the  plan  compli¬ 
ance  problem  is  in  PSPACE  with  respect  to  m,  k ,  and  log2  Dmax,  where  m  is  the  number  of  facts 
in  the  initial  configuration,  k  is  the  upper  bound  on  the  size  of  facts,  and  Dmax  is  the  upper  bound 
on  the  numeric  values  appearing  in  the  model  T,  and  in  the  initial,  goal  and  critical  configurations. 

Proof  Assume  given  three  programs,  C,  Q,  and  A.  such  that  they  return  the  value  1  in  polyno¬ 
mial  space  when  given  as  input,  respectively,  a  configuration  that  is  critical,  a  configuration  that 
contains  the  goal  configuration,  and  a  pair  of  a  configuration  and  a  transition  that  is  valid,  that  is, 
an  instance  of  an  action  in  the  TLSTS  T  is  applicable  to  the  given  configuration,  and  return  0 
otherwise. 

Let  m  be  the  number  of  facts  in  the  initial  configuration  W.  Moreover,  assume  as  inputs  an 
upper  bound,  /.;,  on  the  size  of  facts,  an  upper  bound,  Dmax,  on  the  numeric  values  appearing  in 
the  planning  problem,  that  is  in  the  given  TLSTS  T,  in  the  initial,  goal  and  critical  configurations, 
programs  Q,  C ,  and  A,  as  described  above,  and  a  natural  number  0  <  i  <  LT(m.,  k,  Dmax). 

We  modify  the  algorithm  proposed  in  (KBNSIO)  in  order  to  accommodate  explicit  time.  The 
algorithm  must  return  “yes”  (i.e.  ACCEPT)  whenever  there  is  compliant  plan  from  the  initial 
configuration  IK  to  a  goal  configuration,  that  is  a  configuration  S  such  that  G(S)  =  1.  In  order  to 
do  so,  we  construct  an  algorithm  that  searches  non-deterministically  whether  such  a  configuration 
is  reachable.  Then  we  apply  Savitch’s  Theorem  to  determinize  this  algorithm.  However,  instead 
of  searching  for  a  plan  using  concrete  values,  we  rely  on  the  equivalence  described  in  Section  4 
and  use  <5 -representations  only.  Theorem  4.1  guarantees  that  this  abstraction  is  sound  and  faithful. 

From  G,C,  and  A,  it  is  easy  to  construct  new  functions  G',C',  and  A'  that  use  ^'-representations 
instead  of  configurations.  In  particular,  since  time  constraints  associated  to  goal  and  critical 
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configurations  are  also  relative,  these  can  be  checked  by  using  the  truncated  time  differences  in 
^-representations. 

The  algorithm  begins  with  Wo  set  to  be  the  ^-representation  of  W  and  iterates  the  following 
sequence  of  operations: 

1  If  Wi  is  representing  a  critical  configuration,  i.e.,  if  C  (  W,)  =  1,  then  return  FAIL,  otherwise 
continue; 

2  If  Wi  is  representing  a  goal  configuration,  i.e.,  if  Q'  (Wj)  =  1,  then  return  ACCEPT;  otherwise 
continue; 

3  If  i  >  LT(m,  k,  Dmax),  then  FAIL;  else  continue; 

4  Guess  non-deterministically  an  action,  r,  from  T  applicable  to  Wj,  i.e.,  _4'(W:,  r)  =  1.  If  no 
such  action  exists,  then  return  FAIL.  Otherwise  replace  Wi  with  the  ^-representation  W+i 
resulting  from  applying  the  action  r  to  the  ^-representation  Wj.  This  is  done  as  expected, 
by  updating  the  facts,  updating  the  positions  of  facts  and  the  corresponding  truncated  time 
differences  and  continue; 

5  Set  i  =  i  +  1. 

We  now  show  that  this  algorithm  runs  in  polynomial  space.  We  start  with  the  step-counter  i: 
The  greatest  number  reached  by  this  counter  is  L,T(rn,  k,  Dmax).  When  stored  in  binary  encoding, 
this  number  takes  only  space  polynomial  in  the  given  inputs: 

log(TT(?n,  k,  Dmax))  <  (to  -  1)  log  (Dmax  +  2)  +  mlog(J)  +  mk  log(T>  +  2  mk). 

Therefore,  one  only  needs  polynomial  space  to  store  the  values  in  the  step-counter. 

We  must  also  be  careful  to  check  that  any  ^-representation,  Wj,  can  be  stored  in  polynomial 
space  to  the  given  inputs.  Since  our  system  is  balanced,  the  size  of  facts  is  bounded,  and  the 
values  of  the  truncated  time  differences  are  bounded,  hence  the  size  of  any  ^-representation, 
(Q l,  Squq2,Q2i  •  ■  • ,  Qm-I,  Qm),  in  a  plan  is  polynomially  bounded. 

Finally,  the  algorithm  needs  to  keep  track  of  the  action  r  guessed  when  moving  from  one 
configuration  to  another  and  for  the  scheduling  of  a  plan.  It  has  to  store  the  action  that  has  been 
used  at  the  ith  step.  Since  any  action  can  be  stored  by  remembering  two  ^-representations,  one 
can  also  store  these  actions  in  space  polynomial  in  the  inputs.  □ 

The  reachability  problem  is  an  instance  of  the  plan  compliance  problem  with  an  empty  set  of 
critical  configurations,  hence  the  reachability  problem  for  TLSTSes  with  balanced  non-branching 
actions  is  in  PSPACE  as  well. 

Next  we  turn  to  system  compliance  problem.  Recall  that  besides  the  existence  of  a  compliant 
plan  it  is  additionally  requested  that  no  critical  configuration  is  reachable  by  any  sequence  of 
actions  in  the  given  system. 

Theorem  5.2.  Let  T  be  a  TESTS  with  balanced  non-branching  actions.  Then  the  system  com¬ 
pliance  problem  is  in  PSPACE  with  respect  to  to,  k,  and  log2  Dmax,  where  to  is  the  number 
of  facts  in  the  initial  configuration,  k  is  the  upper  bound  on  the  size  of  facts,  and  Dmax  is  the 
upper  bound  on  the  numeric  values  appearing  in  the  model  T,  and  in  the  initial,  goal  and  critical 
configurations. 

Proof.  In  order  to  show  that  the  system  compliance  problem  is  in  PSPACE  we  modify  the 
algorithm  proposed  in  (KRS1 1)  to  accommodate  timestamps  and  time  constraints.  Again  we  rely 
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on  the  fact  that  NPSPACE,  PSPACE,  and  co-PSPACE  are  all  the  same  complexity  class.  We  use 
the  same  notation  from  the  proof  of  Theorem  5.1  and  make  the  same  assumptions.  In  particular, 
we  use  the  algorithms  Q' ,  C' ,  and  A'  that  run  in  polynomial  space  and  that  check  whether  a  timed 
configuration  is  a  goal  configuration,  a  critical  configuration,  or  if  an  action  is  valid  in  the  given 
TLSTS  T.  Again  we  rely  on  the  equivalence  between  configurations  described  in  Section  4  and 
use  ^-representations  only.  Theorem  4. 1  guarantees  us  that  this  abstraction  is  sound  and  faithful. 

We  first  need  to  check  that  none  of  the  critical  configurations  is  reachable  from  the  initial  config¬ 
uration  W.  To  do  this  we  provide  a  non-deterministic  algorithm  which  returns  “yes”  exactly  when 
a  critical  configuration  is  reachable.  The  algorithm  starts  with  Wo  set  to  be  the  ^-representation 
of  W.  For  any  i  >  0,  we  first  check  if  C  (W,)  =  1.  If  this  is  the  case,  then  the  algorithm  outputs 
”yes”.  Otherwise,  we  guess  an  action  r  such  that  A' (r)  =  1  and  that  it  is  applicable  to  the  6- 
representation  Wi.  If  no  such  action  exists,  then  the  algorithm  outputs  “no”.  Otherwise,  we  replace 
Wi  with  the  (^-representation  Wi+\  resulting  from  applying  the  action  r  to  (5-representation  IT, . 
This  is  done  as  expected,  by  updating  the  positions  of  facts  and  the  corresponding  truncated  time 
differences.  Following  Lemma  5.1  we  know  that  at  most  k)  guesses  are  required,  and 

therefore  we  use  a  global  step-counter  to  keep  track  of  the  number  of  actions.  As  shown  in  the 
proof  of  Theorem  5.1,  the  value  of  this  counter  can  be  stored  in  PSPACE. 

Next  we  apply  Savitch’s  Theorem  to  determinize  the  algorithm.  Then  we  swap  the  accept 
and  fail  conditions  to  get  a  deterministic  algorithm  which  accepts  exactly  when  all  critical 
configurations  are  unreachable. 

Finally,  we  have  to  check  for  the  existence  of  a  compliant  plan.  For  that  we  apply  the  same 
algorithm  as  for  the  timed  plan  compliance  problem  from  Theorem  5.1,  skipping  the  checking 
of  critical  states  since  we  have  already  checked  that  no  critical  configurations  is  reachable  from 
W.  From  what  has  been  shown  above  we  conclude  that  the  algorithm  runs  in  polynomial  space. 
Therefore  the  system  compliance  problem  is  in  PSPACE.  □ 


5.2.  Planning  Problems  for  TLSTSes  with  possibly  Branching  Actions 

We  now  consider  the  plan  compliance  problem  when  actions  may  be  branching.  In  particular,  we 
show  that  when  actions  are  balanced  then  the  plan  compliance  problem  is  EXPTIME-complete 
with  respect  to  the  number  of  facts,  m,  in  the  initial  configuration,  the  upper  bound,  fc,  on  the  size 
of  facts,  the  upper  bound.  Dmax,  on  the  numbers  explicitly  appearing  in  the  planning  problem, 
and  the  upper  bound,  p,  on  the  number  of  post-conditions  of  an  action.  For  these  complexity 
results  we  use  alternating  Turing  machines  (CKS81). 

An  alternating  Turing  machine  (ATM)  is  a  non-deterministic  Turing  machine  with  states  that 
are  either  existential  or  universal  states.  An  alternating  Turing  machine  in  an  existential  state 
accepts  if  some  transition  from  that  state  leads  to  an  accepting  state,  while  an  alternating  Turing 
machine  in  a  universal  state  accepts  if  every  transition  from  that  state  leads  to  an  accepting  state. 
Configurations  of  ATMs,  as  with  standard  Turing  machines,  consist  of  a  tape  contents,  head 
position  and  a  state.  Computations  of  alternating  Turing  machines  can  be  represented  as  trees, 
which  is  similar  to  the  representation  of  branching  plans  in  TLSTSes. 

EXPTIME-hardness:  The  lower  bound  for  the  plan  compliance  problem  can  be  inferred  from  a 
similar  lower  bound  described  in  (KV01).  It  was  shown  that  one  can  encode  alternating  Turing 
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machines  by  using  propositional  actions  that  are  balanced  and  branching.  Time  does  not  play  an 
important  role  for  that  encoding. 

EXPTIME  upper  bound:  Our  upper  bound  algorithm  uses  an  alternating  Turing  machine.  In 
particular,  we  show  that  the  plan  compliance  problem  is  in  alternating-PSPACE  (APSPACE)  with 
respect  to  the  number  of  facts,  to,  in  the  initial  configuration,  the  upper  bound  on  the  size  of  facts, 
k,  the  upper  bound,  Dmax,  on  the  numbers  appearing  explicitly  in  the  planning  problem,  and  the 
upper  bound,  p,  on  the  number  of  post-conditions  of  any  action.  That  is,  an  alternating  Turing 
machine  can  solve  the  plan  compliance  problem  using  polynomial  space.  From  the  equivalence 
between  APSPACE  and  EXPTIME  shown  in  (CKS81),  we  can  infer  that  the  plan  compliance 
problem  is  in  EXPTIME  with  respect  to  the  same  parameters. 

We  also  assume  here  that,  given  a  TLSTST ,  and  a  finite  set  of  goal  and  critical  configurations, 
it  is  possible  to  check  in  APSPACE  whether  a  ^-representation  is  a  goal  ^-representation  or  a 
critical  ^-representation  and  whether  an  action  is  valid,  i.e.  whether  it  is  an  instance  of  an  action 
from  T  that  is  applicable  in  the  given  ^-representation. 

Theorem  5.3.  Let  T  be  a  TLSTS  with  balanced  actions.  Then  the  plan  compliance  problem  is 
in  EXPTIME  with  respect  to  m,  k,  and  log2  Dmax,  and  p,  where  m  is  the  number  of  facts  in  the 
initial  configuration,  k  is  the  upper  bound  on  the  size  of  facts,  Dmax  is  the  upper  bound  on  the 
numeric  values  appearing  in  the  model  T,  and  in  the  initial,  goal  and  critical  configurations,  and  p 
is  the  upper  bound  on  the  number  of  post-conditions  of  actions  in  T. 

Proof.  We  exploit  the  fact  that  the  complexity  classes  APSPACE  and  EXPTIME  are  equiva¬ 
lent  (CKS81)  and  show  that  the  plan  compliance  problem  can  be  solved  by  an  alternating  Turing 
machine  in  polynomial  space. 

As  with  the  proof  of  Theorem  5.1,  we  rely  on  the  equivalence  relation  described  in  Section  4 
by  using  the  (5-representations  of  configurations.  Theorem  4.1  ensures  that  such  an  abstraction  is 
sound  and  complete. 

We  define  the  following  function  FIND(i,  X ),  which  takes  a  natural  number,  i,  specifying  the 
depth  of  a  plan  and  a  ^-representation,  X ,  and  returns  ACCEPT  if  a  compliant  plan  of  depth  i 
starting  from  X  exists,  and  returns  FAIL  otherwise.  Recall  from  Lemma  5.1  that  it  suffices  to 
consider  plans  of  depth  bounded  by  Lx{m,  k ,  Dmax).  Our  upper  bound  algorithm  is  the  following: 
Initialize  i  =  Lx(m.,  k,  Dmax)  and  Wt  as  the  ^-representation  of  the  initial  configuration  W. 
Then  proceed  as  follows: 

1  If  Wt  is  a  critical  ^-representation  then  FAIL,  else  continue; 

2  If  Wt  is  a  goal  ^-representation,  then  ACCEPT,  else  continue; 

3  If  i  =  0  then  FAIL,  else  continue; 

4  Guess  non-deterministically  an  action  X  \  T  — '?  a  Bx±.Xi  ©  •  •  •  3xn.Xn,  that  is  applicable 
to  Wu  yielding  ^-representations  W}_  l , . . . ,  lL'7-i ; 

If  no  such  action  exists  return  FAIL; 

5  If  all  executions  of  FIN  DC  -  1,  W^),  . . .,  14ND(/  -  1,  W£_f)  return  ACCEPT,  then  return 
ACCEPT,  otherwise  return  FAIL; 

The  fifth  step  is  where  we  need  the  extra  capabilities  of  an  alternating  Turing  machine  as  we 
require  that  all  executions  of  FIND  return  ACCEPT.  Given  the  proof  of  Theorem  5.1  and  the 
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bound,  p,  on  the  number  of  post-conditions  of  actions,  it  is  easy  to  check  that  the  alternating 
Turing  machine  runs  in  polynomial  space.  □ 

Theorem  5.4.  Let  T  be  a  TLSTS  with  balanced  actions.  Then  the  system  compliance  problem 
is  in  EXPTIME  with  respect  to  m ,  k,  and  log2  D.max,  and  p,  where  rn  is  the  number  of  facts  in 
the  initial  configuration,  k  is  the  upper  bound  on  the  size  of  facts,  Dmax  is  the  upper  bound  on  the 
numeric  values  appearing  in  the  model  T,  and  in  the  initial,  goal  and  critical  configurations,  and  p 
is  the  upper  bound  on  the  number  of  post-conditions  of  actions  in  T- 

Proof.  Similar  to  proof  of  Theorem  5.2  we  first  check  that  a  critical  (5-represen tation  is  not 
contained  in  any  tree  of  actions  of  the  system  with  the  root  W.  As  per  Lemma  5. 1  it  is  enough  to 
consider  trees  of  depth  bounded  by  k ,  Dmax). 

For  that  search  we  define  the  function  CHECK(i,  X ),  which  takes  a  natural  number,  i,  specifying 
the  depth  of  a  tree  and  a  ^-representation,  X  and  returns  ACCEPT  if  a  critical  ^-representation 
cannot  be  reached  from  X  in  a  tree  of  depth  i,  and  returns  FAIL  otherwise.  The  function  CHECK(i, 
Wf)  is  defined  as  follows:  We  initialize  i  =  LT{m,  k,  Dmax)  and  set  Wi  to  be  the  (5-representation 
of  the  initial  configuration  W  and  proceed  as  follows: 

1  If  Wi  is  a  critical  (5-representation,  then  FAIL,  else  continue; 

2  If  i  =  0  then  ACCEPT,  else  continue; 

3  Guess  non-deterministically  an  action  X  \  T  — >a  3x\.X\  ®  •  •  •  3xn.Xn,  that  is  applicable 
to  Wi,  yielding  ^'-representations  W}_x, . . . ,  Wjf  ; 

If  no  such  action  exists  return  ACCEPT; 

4  If  all  of  the  executions  of  CHECKS  -  1,  Wl_f>,  . . .,  CHLCKL  -  1,  Wfyf)  return  ACCEPT, 
then  return  ACCEPT,  otherwise  FAIL. 

The  forth  step  is  where  we  use  the  extra  capabilities  of  an  alternating  Turing  machine  as  we 
require  that  all  executions  return  ACCEPT.  Consequently,  it  will  return  FAIL  if  any  execution  of 
CHECK  returns  FAIL,  i.e.  if  any  branch  reaches  a  critical  (5-representation. 

Then,  if  the  function  CHECK  returned  FAIL  our  upper  bound  algorithm  stops  and  returns 
FAIL.  Otherwise  the  algorithm  proceeds  by  checking  for  the  existence  of  a  compliant  plan  as 
per  algorithm  given  in  the  proof  of  Theorem  5.3.  In  case  FIND(0,FFo)  =  ACCEPT  the  algorithm 
returns  ACCEPT,  and  returns  FAIL  otherwise. 

Given  the  proof  of  Theorem  5.1  and  the  bound,  p,  on  the  number  of  post-conditions  of  actions, 
it  is  easy  to  check  that  the  alternating  Turing  machine  runs  in  polynomial  space.  Since  the  above 
algorithm  is  in  APSPACE,  it  is  in  EXPTIME.  We  can  conclude  that  the  system  compliance 
problem  for  systems  with  possibly  branching  actions  is  in  EXPTIME  .  □ 

As  mentioned  in  Section  2,  in  addition  to  checking  for  the  existence  of  a  plan  in  the  given 
planning  problem,  we  are  also  able  to  schedule  a  plan  in  all  of  the  above  cases.  We  take  the 
additional  input  j  and.  in  the  case  a  compliant  plan  exists,  we  output  the  j-th  action  of  the  plan. 
For  our  PSPACE  results  from  Section  5.1,  we  store  the  action  for  which  the  counter  i  is  equal 
to  j.  Since  an  action  can  be  stored  as  two  (5-configurations,  we  can  remember  the  j-th  action  in 
polynomial  space  with  respect  to  inputs.  For  our  EXPTIME  results  from  Section  5.2,  we  assume 
given  the  tree  traversal  procedure  and  in  case  the  compliant  plan  exists,  following  our  algorithm 
we  run  the  fixed  traversal  strategy  and  output  the  j-th  action. 
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6.  Relaxing  the  restrictions  on  TLSTSes 

In  the  previous  section,  we  demonstrated  that  several  problems,  including  the  reachability  problem, 
are  decidable  (PSPACE-complete  or  EXPTIME-complete)  when  assuming  that  actions  have  the 
following  restrictions: 

1  All  actions  are  Balanced; 

2  The  timestamps  of  all  facts  created  by  an  action  are  of  the  form  T  +  d,  where  T  is  the  current 
time  and  d  a  natural  number; 

3  Time  constraints  of  an  action  are  of  the  form  show  in  Eq.  1,  i.e.,  T\  =  X2  ±  d ,  T)  >  T2  ±  d, 
or  Xi  >  T2  ±  d,  involving  exactly  two  timestamps  and  a  natural  number  d. 

Besides  the  intuitions  given  in  Section  2  for  these  restrictions,  we  show  in  this  section  that 
relaxing  any  one  of  these  restrictions  leads  to  the  undecidability  of  the  reachability  problem.  The 
undecidability  of  the  reachability  problem  implies  the  undecidability  of  the  planning  problems  we 
study  in  Section  5. 

Kanovich  et  al.  (KRS09)  have  already  shown  that  the  reachability  problem  is  undecidable 
when  unbalanced  actions  are  allowed.  Thus,  we  show  that  the  two  remaining  conditions  are 
indeed  necessarily  for  the  decidability  of  the  reachability  problem.  In  Section  6.1,  we  demonstrate 
that  if  we  only  relax  condition  2  above,  then  the  reachability  problem  is  undecidable  in  general, 
while  in  Section  6.2  we  show  that  if  we  only  relax  condition  3  above  then  the  reachability  is 
also  undecidable  in  general.  In  order  to  obtain  these  undecidability  results,  we  show  that  the 
reachability  problem  can  be  reduced  to  the  termination  problem  of  a  two  counter  Minsky  machine, 
which  is  known  to  be  undecidable  (MM61).  We  briefly  review  Minsky  machines: 

A  Two-Counter  Machine  proposed  by  Minsky  (MM61)  is  a  machine  that  contains  two  registers 
r±  and  r2,  a  set  of  states,  S ,  and  a  set  of  instructions,  'T.  A  configuration  of  a  Minsky  machine  is  a 
tuple  (k,  i,  j ),  where  k  is  the  state  of  the  machine,  i  is  the  value  stored  in  the  register  r\  and  j  the 
value  stored  in  the  register  r 2. 

There  are  only  four  types  of  instructions  each  of  them  leading  from  one  state,  k,  to  another 
state,  j  or  j\  or  J2,  but  with  the  following  side  effects  on  the  value  of  registers: 

—  (Add  r,)  insk :  Ti  =  r*  +  l;goto  insj\ 

—  (Subtract  r,)  insk :  t-i  =  r,  —  l;goto  iriSj ; 

—  (0-test  Vi)  insk'  if  r,j  =  0  goto  insj1  else  goto  insj2; 

—  (Jump)  insk'  goto  i/riSj ; 

(1)  An  Add  r,  instruction  increments  the  register  r, ;  (2)  A  Sub  r,  instruction  is  applicable  only 
when  r,  has  a  positive  number  and  decrements  it;  (3)  A  0-test  r,  instruction  is  a  branching 
instruction  leading  to  one  state  if  rt  contains  zero  and  to  another  state  otherwise;  finally  (4)  a  Jump 
instructions  simply  moves  from  one  state  to  another  without  changing  the  values  stored  in  the 
registers.  Minsky  showed  that  the  problem  of  determining  whether  a  final  state,  ao,  is  reachable 
from  an  initial  state  is  undecidable.  We  assume,  with  loss  of  generality,  that  in  the  initial  state  the 
registers  r\  and  r2  are  set  to  zero. 

6.1.  Relaxing  Advances  of  Timestamps 

This  section  shows  that  by  relaxing  the  restriction  that  timestamps  of  facts  created  by  actions 
should  be  necessarily  of  the  form  T  +  d,  where  T  is  the  current  time  of  the  enabling  configuration 
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and  d  a  natural  number.  We  generalize  actions  to  be  of  the  following  form: 

Time@T,  W,  Pi(c*i)@Tl5 . . . ,  Pn{cn)@Tn  \  T  t A 
3 u.Time@T,  W,  P{(^)@(T  +  /r(Ti, . . . ,  Tn)), . . . ,  P'm^m)@{T  +  fm(Tu . . . ,  T„)), 

where  in  the  timestamps  of  the  created  facts  a  polynomial  /,  (Ti , . . . ,  Tn)  is  added  to  the  global 
time,  T.  Polynomial  /,  (Ti ,Tn)  may  contain  timestamps  T3, ...  ,Tn  that  appear  as  timestamps 
of  facts  in  the  precondition  of  the  action.  We  say  that  such  an  action  is  linearly-time-advancing  if 
all  polynomials  /,; (Ti , ...  ,Tn)  are  linear. 

Given  the  actions  of  the  above  form,  we  show  that  the  reachability  problem  for  these  systems 
is  undecidable  already  for  systems  with  balanced  actions  that  are  linearly-time-advancing.  This 
means  that  all  compliance  problems  discussed  in  Section  2  are  also  undecidable  for  such  systems. 

Theorem  6.1.  Given  a  TLSTS  with  balanced  and  linearly-time-advancing  actions,  the  reachabil¬ 
ity  problem  is  undecidable. 

Proof.  The  proof  is  obtained  by  reducing  the  reachability  problem  of  TLSTSes  with  actions 
that  are  balanced  and  linearly-time-advancing  to  termination  of  Minsky  machines.  We  encode  an 
arbitrary  Minksy  machine  M  as  follows: 

For  each  state  label  k,  we  associate  a  zero  arity  predicate  Stk,  called  state  fact,  denoting  the 
current  state  of  the  machine.  Moreover,  we  use  two  zero  arity  predicates  R\  and  I  f  to  keep  track 
of  the  value  stored  in  the  registers  r\  and  r 2,  respectively.  Our  actions  will  enforce  that  at  any 
given  configuration  there  is  exactly  one  state  fact  and  exactly  one  occurrence  of  a  R\  and  a  R2 
fact.  We  encode  the  values  stored  in  the  registers  ri  and  r2,  by  using  the  timestamps  of  the  state 
facts,  and  by  using  the  facts  R\  and  R2  appearing  in  a  configuration  as  follows: 

If  Stk@T ,  Ri@Ti  and  Ilpil  j  are  the  occurrences  of  the  state  fact  and  Ri,  R2  in  a  configu¬ 
ration.  then  such  a  configuration  specifies  that  the  machine  is  in  state  k ,  the  value  stored  in  the 
register  r  t  is  (Ti  —  T)  and  the  value  in  r2  is  T  —  T2.  For  instance,  the  following  configuration 
{Time@7,  S'faQl,  f?2@5}  specifies  M’s  configuration  (a,  3,  5). 

Each  of  M’s  instructions  is  encoded  by  the  corresponding  balanced  linearly-time-advancing 
actions.  The  actions  of  the  encoding  have  the  following  shape: 

(Add  n)  Time@T,  Stk@T!,  J?i@T2,  R2@T3  -U 

Time@T,  Stj@T,  f?i@(T  +  T2  -  Ti  +  1),  R2@(T  +  T3-  T) 

(Add  r2)  Time@T,  R3@T2,  R2@T3 

Time@T,  Stj@T,  l?i@(T  +  T2  -  Ti),  R2@(T  +  T3-T 1  +  1) 

(0-test  7-1  if)  Time@T,  Stk@Tu  7?i@T2,  R2@T3  \  {Ti  =  T2}  — yA 
Time@T,  Stj^T,  R2@{T  +  T3-  Ti) 

(0-test  n  else)  Time@T,  RX@T2,  R2@T3  \  {Ti  <  T2}  — yA 

Time@T,  Stj2@T,  +  T2-  7\),  R2@(T  +  T3-  Tf 

(0-test  r2  if)  Time@T,  Stk@Tu  R2@T3  \  {Ti  =  T3}  — 

Time@T,  Stj^T,  f?i@(T  +  T2-  Ti),  R2@T 
(0-test  r2  else)  Time@T,  S4@Ti,  RL@T2,  R2@T3  \  {Ti  <  T3}  ->A 

Time@T,  Stj2@T,  f?i@(T  +  T2  -  Ti),  R2@(T  +  T3-  Tf 
(Jump)  Time@T,  Stk@Ti,  Ri@T2,  R2@T3  — >a 

Time@T,  Stj@T,  +  T2  -  Tf,  R2@@{T  +  T3-  Tf) 

It  is  easy  to  show  that  each  action  faithfully  encodes  the  corresponding  instruction  in  M.  For 
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instance,  consider  the  first  action  above  encoding  an  (Add  rf)  instruction.  At  the  precondition  the 
values  stored  in  the  registers  n  and  r2  are,  respectively,  T2  —  T\  and  T3  —  Ti .  In  the  post-condition, 
however,  since  the  facts  have  to  advance  in  time,  the  timestamp  of  the  fact  Stj,  denoting  the  next 
instruction,  is  changed  to  the  current  global  time  T.  Therefore,  the  timestamps  of  the  facts  R\ 
and  f?2  have  to  be  updated  to  T  +  T2  —  T\  +  1  and  T  +  T2  —  Ti,  where  the  value  in  the  register 
ri  is  increased  by  one.  Also  notice  that  (0-test  r,)  instructions  are  split  into  two  actions:  one  for 
the  case  when  the  test  is  satisfied  ((0-test  r,  if)  and  the  other  for  the  case  when  the  test  is  not 
satisfied  (0-test  r,  else).  The  goal  is  to  reach  a  configuration  that  reaches  the  final  state  ao,  which 
is  encoded  by  the  fact  Stao  ■ 

For  soundness,  the  only  problem  could  be  with  the  action  that  advances  the  global  time. 
However,  since  all  actions  above  take  into  account  the  global  time  and  recompute  the  timestamps 
of  Ri  and  f?2  so  that  they  correspond  to  the  correct  values  stored  in  the  respective  registers,  the 
system  is  sound.  For  completeness,  one  can  show  that  if  we  do  not  advance  time,  the  values  of  the 
timestamps  of  Ri  and  R2  correspond  exactly  to  the  values  stored  by  the  registers  r\  and  r2,  since 
the  timestamps  of  facts  Stk,  encoding  instructions,  are  always  zero.  Hence,  the  encoding  in  our 
system  is  complete. 

Finally,  notice  that  we  do  not  require  critical  configurations,  we  use  only  one  agent  A ,  and  no 
actions  above  updates  values  with  fresh  ones.  □ 

Since  the  reachability  problem  is  undecidable  and  in  the  proof  we  do  not  make  use  of  any 
critical  states,  all  of  the  compliance  problems  mentioned  in  Section  2  are  undecidable. 

Corollary  6.1.  Given  a  TLSTS  with  balanced  actions  that  are  linearly-time-advancing,  then  the 
plan  compliance  and  the  system  compliance  problems  are  undecidable. 


6.2.  Relaxing  Time  Constraints 

Instead  of  relaxing  the  timestamps  of  the  facts  in  the  post-condition,  we  now  relax  the  form  of 
time  constraints  in  the  guard  of  actions  and  investigate  the  complexity  of  the  reachability  problem 
for  such  systems.  Recall  that  in  our  models,  TLSTSe s,  time  constraints  are  necessarily  of  the 
form  Ti  oT2  +  d,  where  o  £  {>,>,=,<,<}  and  d  is  a  natural  number.  We  relax  this  condition 
by  allowing  actions  to  contain  constraints  of  the  form  Ti  o  f(T\, . . . ,  Tn),  where  /  is  a  linear 
polynomial  and  T\ , . . . ,  Tn  are  the  timestamps  appearing  in  the  precondition  of  the  corresponding 
action.  We  call  this  type  of  actions  linearly-constrained  actions.  We  show  that  the  reachability 
problem  for  TLSTSe s  with  balanced  and  linearly  constrained  actions  is  also  undecidable. 

Theorem  6.2.  Given  a  TLSTS  with  balanced  and  linearly-constrained  actions,  then  the  reacha¬ 
bility  problem  is  undecidable. 

Proof.  As  in  the  proof  of  Theorem  6. 1 ,  we  reduce  the  reachability  problem  for  TLSTSe s  to 
the  termination  of  an  arbitrary  Minsky  Machine  M. 

As  in  the  proof  of  Theorem  6. 1 .  the  difference  between  the  timestamps  of  Ri  (respectively, 
R2)  and  Stk  will  denote  the  value  of  the  register  77  (respectively,  r2).  We  also  use  the  auxiliary 
predicate  Aux,  and  a  predicate  Update ?  for  each  instruction  7  and  i  £  {1,2}  together  with  the 
Time  predicate  to  encode  the  effects  of  the  instructions  of  M,  such  as  the  instruction  to  add  a 
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value  to  a  register.  The  initial  configuration  consists  of  six  facts  with  three  copies  of  Aux. 


I  =  {Sfi@0,  R2@0,  Aua:@0,  Aux@(),  Aux@0,  Time© 0}. 


where  we  assume  w.l.o.g.  that  the  values  in  both  registers  is  zero.  A  goal  configuration  is  any 
configuration  containing  the  facts  G  =  {Stao@Ti,  Aux@T2,  Aux@T3 ,  Aux@T3}. 

Each  of  M’s  instructions  is  encoded  using  a  collection  of  auxiliary  actions.  Consider  the 
following  instruction,  7,  that  adds  the  register  77 : 


(Add  ri)  insk :  r±  =  77  +  l;goto  inSj 


This  instruction  is  encoded  by  the  following  four  balanced  and  linearly-constrained  actions: 


(Action  7  1)  Time@T,  Ri@Ti,  R2@T2,  Stk@T3,  Aux@T4,  Aux@T$,  Aux@Te  — >a 

Time@T,  Ri@T4,  R2@T2,  Stk@T3,  Stj@T,  UpdateJ@T,  Update^  @T 

(Action  7  2)  Time@T,  R1@T1,R2@T2,  Stk@T3,  Stj@T4,  UpdateJ@n  \  {T  =  T4  +  7i  -  T3  +  1}  ->A 
Time@T,  Ri@T,  R2@T2,  Stk@T3,  Stj@T4,  Aux@T 

(Action  7  3)  Time@T,  R1@T1,R2@T2,  Stk@T3,  Stj@T4,  Update^@T5  \  {T  =  T4  +  T2  —  T3}  — >a 
Time@T,  R2@T,  Stk@T3,  Stj@T4,  Aux@T 

(Action  7  4)  Time@T,  Stk@T3,  Stj@T4 ,  Aux@T3,  Aux@Te  — >a 

Time@T,  Stk@T3,  Aux@T,  Aux@T,  Aux@T 


The  first  action  is  applicable  only  when  the  current  state  is  k,  specified  by  the  fact  Stk©T3  in  the 
enabling  configuration.  It  replaces  the  Aux  facts  with  Stj@T,  UpdateJ@T ,  U pdate'l^T .  The 
first  fact  encodes  the  new  state  j.  Since  the  timestamp  of  Stj  is  T,  whereas  the  values  in  the 
registers  are  computed  with  respect  to  the  timestamp  T3  of  Stk,  namely  T±  —  T3  and  T2  —  T3,  we 
need  to  update  the  timestamps  of  R\  and  Ii  >  to  be  relative  to  T.  This  is  the  purpose  of  the  facts 
UpdateJ@T ,  U pdate'l@T  and  of  the  second  and  the  third  action.  The  second  action  updates  the 
timestamps  of  If  when  the  current  time  is  exactly  T4  +  T\  —  T3  +  1,  that  is,  the  previous  value 
stored  in  the  register  77  plus  1  and  relative  to  the  timestamp  of  Stj.  The  third  action  is  similar 
and  corresponds  to  updating  the  timestamp  of  R2.  Only,  after  the  second  and  third  action  have 
been  applied  can  the  fourth  action  be  enabled  and  applied,  as  this  requires  two  Aux  facts  in  the 
precondition  .  The  fourth  action  then  simply  forgets  the  previous  state,  k,  by  replacing  Stk  with 
Aux. 

The  actions  encoding  other  type  of  instructions  are  similar.  We  show  below  the  encodings  of  the 
instructions  for  Subtracting,  instruction  for  the  0-test  for  the  register  77  and  the  JUMP  instruction. 
The  remaining  actions  for  register  r2  are  similar. 
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7  is  a  Subtract  instruction  for  n : 

(Action  7  1)  Time@T,  R4@T4,  R2@T2,  Stk@T3,  Aux@T4,  Aux@T3,  Aux@T6  \  { Ti  >  T3}  — >A 
Time@T,  f?4@Ti,  R2@T2,  Stk@T3,  Stj@T,  Update]  @T,  Update] @T 

(Action  7  2)  Time@T,  R1@T1,R2@T2,  Stk@T3,  Stj@T4,  Update]  @T5  \  {T  =  T4  +  Ti  -  T3  -  1}  -u 
Time@T,  Ri@T,  R2@T2,  Stk@T3,  Stj@T4,  Aux@T 

(Action  7  3)  Time@T,  R1@T1,R2@T2,  Stk@T3,  Stj@T4,  Update]@T5  \  {T  =  T4 +T2  -  T3) 
Time@T,  Ri@Ti,R2@T,  Stk@T3,  Stj@T4,  Aux@T 

(Action  7  4)  Time@T,  Stk@T3,  Stj@T4,  Aux@T$,  Aux@Te  — M 

Time@T,  Stk@T3,  Aux@T,  Aux@T,  Aux@T 


7  is  a  0-test  instruction  for  r, : 

(Action  7  1  if)  Time@T,  Ri@T4,  R2@T2,  Stk@T3,  Aux@T4,  Aux@T3,  Aux@T@  — >A\  Ti  =  T3 
Time@T,  R4@T,  R2@T2,  Stk@T3,  Stj^T,  Aux@T5,  Update]@T 

(Action  7  1  else)  Time@T ,  Ri@T4,  R3@T2,  Stk@T3,  Aux@T4,  Aux@T$ ,  Aux@T3  — >a|  Ti  >  T3 
Time@T,  f?4@Ti,  R2@T2,  Stk@T3,  Stj2@T,  Update]@T,  Update]@T 

(Action  7  2)  Time@T,  R1@T1,R2@T2,  Stk@T3,  Stk@T4,  Update]@Ts  \  {T  =  T4  +  Ti  -  T3}  ->A 
Time@T,  Ri@T ,  R2@T2,  Stk@T3,  Stk@T4,  Aux@T 

(Action  7  3)  Time@T,  R4 @T4,  R2@T2,  Stk@T3,  Stk@T4,  Update]@T5  \  {T  =  T4 +  T2  -  T3}  ^A 
Time@T,  Ri  @Ti ,  R2  @T,  Stk  @T3 ,  Sth  @T4 ,  Aux@T 

(Action  7  4)  Time@T,  Stk@T3,  St-j,  @T4 ,  Aux@T3,  Aux@T3  — >A 

Time@T,  Stk@T3,  Aux@T,  Aux@T,  Aux@T 


7  is  a  Jump  instruction: 

(Action  7  1)  Time@T,  R4@T4,  R2&T2,  Stk@T3,  Aux@T4,  Aux@T$,  Aux@Te  — >A 

Time@T,  R1@Ti,R2@T2,  Stk@T3,  Stj@T,  Update]  @T,  Update]  @T 

(Action  7  2)  Time@T,  R1@T1,R2@T2,  Stk@T3,  Stj@T4,  Update]@T5  {T  =  T4  +  Ti  —  T3}  ->A 
Time@T,  R4@T,  R2@T2,  Stk@T3,  Stj@T4,  Aux@T 

(Action  7  3)  Time@T,  R1@T1,R2@T2,  Stk@T3,  Stj@T4,  Update]@T5  {T  =  T4  +  T2  —  T3}  — >a 
Time@T,  Ri@T4,  R2@T,  Stk@T3,  Stj@T4,  Aux@T 

(Action  7  4)  Time@T,  Stk@T3,  Stj@T4,  Aux@Ts,  Aux@Te  ~^A 

Time@T,  Stk@T3,  Aux@T,  Aux@T ,  Aux@T 

The  auxiliary  facts  Aux ,  Update]  are  necessary  for  the  soundness  and  completeness  of  our 
encoding.  In  particular,  actions  can  only  be  applied  in  the  following  order: 

Action  7  l,n  x  Clock,  Action  7  i.  m  x  Clock,  Action  7  j.  h  x  Clock,  Action  7  4 

where  n,  m,  k  is  a  number  of  time  advances,  possibly  zero,  and  { 1 ,  j }  =  {1,  2},  that  is,  either 
Action  7  1  is  applied  before  Action  7  2  or  vice-versa. 

We  can  prove  by  induction  on  the  size  of  plans  that  for  a  given  Minsky  machine  M  and  its 
encoding  7m  as  described  above,  then  M  reaches  the  final  state  «(,  if  and  only  if  Tm  reaches  a 
goal  configuration  from  the  initial  configuration  I. 

Notice  that  we  do  not  need  any  critical  configurations. 
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Since  the  termination  problem  is  undecidable,  so  is  the  reachability  problem  for  TLSTSes  with 
balanced  and  linearly-constrained  actions.  □ 

We  can  conclude  that  since  the  reachability  problem  is  undecidable  and  in  the  proof  we  do 
not  make  use  of  any  critical  states,  all  the  compliance  problems  mentioned  in  Section  2  are 
undecidable  for  systems  with  balanced  and  linearly-constrained  actions. 

Corollary  6.2.  Given  a  TLSTS  with  balanced  actions  that  are  linearly-constrained,  then  the  plan 
compliance  and  the  system  compliance  problems  are  undecidable. 

7.  Related  Work 

The  specification  of  regulations  has  been  the  topic  of  many  recent  works.  In  (BDMN06;  BMDS07; 
LMS09),  a  temporal  logic  formalism  for  modeling  collaborative  systems  is  introduced.  In  this 
framework,  one  relates  the  scope  of  privacy  to  the  specific  roles  of  agents  in  the  system.  For 
instance,  a  patient’s  test  results,  which  normally  should  not  be  accessible  to  any  agent,  are 
accessible  to  the  agent  that  has  the  role  of  the  patient’s  doctor.  We  believe  that  our  system 
can  be  adapted  or  extended  to  accommodate  such  roles  depending  on  the  scenario  considered. 
In  particular,  it  also  seems  possible  to  specify  in  our  framework  the  health  insurance  scenario 
discussed  in  (LMS09).  De  Young  et  al.  describe  in  (DGJ+10)  the  challenges  of  formally  specifying 
the  temporal  properties  of  regulations,  such  as  HIPAA  and  GLPA.  They  extend  the  temporal 
logic  introduced  in  (BDMN06)  with  fixed  point  operators,  which  seem  to  be  required  in  order 
to  specify  these  regulations.  A  temporal  logic  to  specify  regulations,  such  as  the  FDA  Code 
of  Federal  Regulations  (CFR),  as  properties  of  traces  abstractly  representing  the  operations  of 
an  organization  are  given  in  (DJLS08).  Notions  of  permissions  and  obligations  are  introduced 
to  deal  with  regulatory  sentences  as  conditions  or  exceptions  to  others.  An  algorithm  to  check 
conformance  of  audit  logs  to  security  and  privacy  policies  expressed  in  a  first-order  logic  with 
restricted  quantification  is  presented  in  (GJD1 1).  In  the  case  of  incomplete  logs  a  residual  policy 
is  returned. 

Temporal  logics  are  suitable  for  specifying  the  temporal  properties  that  need  to  be  satisfied  by 
the  traces  of  a  system’s  operation.  Our  approach  starts  with  an  executable  specification  of  a  system 
using  rewriting  logic,  combined  with  a  mechanism  to  specify  and  check  properties  of  executions. 
Specifically,  critical  and  goal  configurations  defined  in  the  equational  sublogic  allow  us  to  express 
properties  needed  for  generating  plans  for  patient  visits,  and  for  monitoring  clinical  investigations 
including  FDA  reporting  regulations.  Timestamps  allow  us  to  express  both  temporal  properties 
and  timing  constraints.  Moreover,  this  approach  allows  us  to  use  existing  rewriting  tools,  such  as 
Maude  (CDE+07),  to  implement  our  specifications  and  analyses. 

The  Petri  nets  (PNs)  community  has  investigated  many  related  problems  involving  time.  In 
particular,  the  coverability  problem  of  PNs  is  related  to  our  partial  goal  reachability  problem  for 
TLSTSes  of  a  simple  form  -  without  branching  actions,  or  critical  states,  or  fresh  values  (KRS09). 
In  (dFRA+00),  de  Frutos  Escrig  et  al.  show  decidability  results  for  the  coverability  problem  of  a 
type  of  Timed  PNs  with  discrete  time.  There  seem  to  be  connections  between  our  timestamps  of 
facts  and  their  time  (age)  associated  to  tokens  as  well  as  connections  between  our  time  constraints 
and  their  time  intervals  labeling  the  arcs  in  these  PNs.  However,  the  complexity  of  their  decision 
procedures  is  extremely  high,  as  compared  with  our  upper  bounds.  Notice  that  branching  actions 
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and  critical  states  are  not  considered  there.  Despite  these  connections,  we  did  not  find  any  work 
that  captures  exactly  the  model  presented  in  this  paper. 

Real  time  systems  differ  from  our  setting  since  dense  time  domains,  such  as  the  real  numbers, 
are  required,  while  in  our  intended  applications,  such  as  clinical  investigations,  discrete  numbers 
suffice.  The  models  introduced  in  (AM04;  KOS98;  OM07)  deal  with  the  specification  of  real  time 
systems  and  also  explore  the  complexity  of  some  problems.  We  give  more  detailed  comparison 
with  Timed  Automata  in  the  following  section. 

Kanovich  et  al.  in  (KOS98)  propose  a  linear  logic  based  framework  for  specifying  and  model¬ 
checking  real  time  systems.  In  particular,  they  demonstrate  fragments  of  linear  logic  for  which 
safety  problems  are  PSPACE-complete.  Interestingly,  their  examples  are  all  balanced  which  is 
in  accordance  to  some  of  our  conditions.  However,  as  discussed  in  (DGP08),  their  model  is 
limited  since  one  is  not  allowed  to  specify  properties  which  involve  different  timestamps.  In  our 
formalism,  such  properties  can  be  specified  using  time  constraints.  In  (OM07)  conditions  are 
identified  for  which  the  problem  of  checking  whether  a  system  satisfies  a  property,  specified 
in  linear  temporal  logic,  is  decidable.  As  their  main  application  is  for  real  time  systems,  they 
also  assume  dense  time  domains,  although  discrete  time  domains  can  also  be  accommodated. 
They  identify  non-trivial  conditions  on  actions  which  allow  one  to  abstract  time  and  recover 
completeness.  We  are  currently  investigating  whether  a  simpler  definition  of  balanced  actions  and 
relative  time  constraints  can  provide  more  intuitive  abstractions  for  systems  with  dense  times. 

7.1.  Comparison  with  Timed  Automata 

Timed  Automata  ( AD94)  have  been  introduced  as  finite  automata  extended  with  real-time  clocks 
two  decades  ago  and  have  since  well  proved  their  significance.  They  have  been  successfully  used 
for  the  verification  of  many  systems  involving  real-time.  It  is  impressive  the  amount  of  work  and 
results  that  have  been  achieved,  which  also  include  powerful  implementations  and  tools. 

Our  Timed  Local  State  Transition  Systems  offer  another  framework  for  timed  systems  which 
enables  us  to  formalize  systems  with  explicit  time  including  the  regulations  and  the  requirements 
in  collaborative  systems  with  confidentiality.  While  there  are  some  similarities  between  Timed 
automata  and  our  TLSTS  formalism,  as  both  involve  time,  there  are  also  some  important  differ¬ 
ences  in  both  the  constructs  available  in  the  language  and  also  in  the  complexity  results  obtained, 
including  the  proofs. 

We  highlight  some  differences: 

—  Instead  of  only  considering  the  reachability  problem,  we  deal  with  more  general  and  com¬ 
plicated  planning  problems,  namely,  the  plan  compliance  and  system  compliance  problems. 
Thus  solutions  to  the  tasks  we  are  dealing  with  should  intertwine  the  positive  features,  that  is 
to  reach  a  goal,  with  the  negative  features  -  only  those  solutions  that  do  not  go  through  any 
critical  states  are  acceptable; 

—  As  we  illustrated  in  the  paper,  the  use  of  actions  with  non-deteministic  effects  (branching 
actions)  is  also  an  important  feature  of  TLSTSe s,  allowing  one  to  reason  with  a  wider  range  of 
systems  and  problems.  It  does  not  seem  possible  to  model  such  actions  using  Timed  Automata; 

—  We  allow  actions  to  create  fresh  values  or  nonces.  This  is  an  important  feature  of  our  model 
enabling  us  to  specify  and  verify  security  protocols  (KBNS13;  KBNS10)  and  other  processes 
that  require  unique  identification  such  as  our  clinical  trials  example.  Indeed,  as  our  work  is 
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closely  related  to  security,  the  feature  of  fresh  values  is  very  much  of  interest  to  us  since  it  is 
essential  in  the  field  of  security,  going  back  to  (HRU76).  As  actions  can  create  a  potentially 
infinite  number  of  distinct  nonces,  systems  have  in  principal  an  infinite  number  of  configura¬ 
tions.  Thus  it  is  surprising  that  we  can  still  guarantee  PSPACE/EXPTIME-completeness  for 
our  planning  problems  even  though  actions  can  create  an  unbounded  number  of  nonces. 
Traditionally,  Timed  Automata  do  not  address  nonces.  More  recently  there  have  been  some 
solutions  in  the  Timed  Automata  literature  for  handling  nonces.  For  example,  (CEHM07) 
formalize  the  generation  of  nonces  using  timed  automata,  but  they  need  to  assume  that  in 
advance  there  is  a  fixed  finite  bound  on  the  number  of  nonces. 

These  differences  on  the  constructs  available  lead  to  differences  in  the  complexity  proofs.  In 
order  to  illustrate  these  differences,  consider  the  following  timed  version  of  the  classical  Towers 
of  Hanoi  puzzle,  where  each  move  takes  one  time  unit. 

Timed  Towers  of  Hanoi  Puzzle:  Initially,  at  moment  f0-  a  stack  of  n  disks  u  \ ,  a2,  a3, . . . , 
of  increasing  size  arranged  from  the  largest  at  the  bottom  to  the  smallest  on  top  is  placed  on  a 
peg  b\.  The  other  two  pegs,  62  and  b3 ,  are  empty. 

The  move  is  allowed  only  if  it  places  a  smaller  disk  at  on  top  of  a  larger  disk  a3,  here  i<j.  The 
processing  time  of  the  move  is  assumed  to  be  1  nanosecond. 

The  objective  is  to  move,  in  the  shortest  time,  the  stack  from  the  peg  b\  to  the  peg  b3,  in  such  a 
way  that  no  disk  is  ever  placed  on  a  smaller  one. 

To  formalize  the  problem,  we  will  use  the  following  predicates: 

(a)  On(a;,  y)  stands  for  “x  is  placed  on  top  of  y" 

(b)  Clear(a’)  means  that  “ nothing  is  on  top  of  x” 

Accordingly, 

(c)  Dn(a;,t/)@f  stands  for  “x  is  placed  on  top  of  y  at  moment  t” 

(d)  Clear(a;)@f  means  that  “x  becomes  available  at  moment  t” 

The  initial  configuration,  W,  can  be  formalized  as: 

Time@t0,  Clear(ai)@f0,  On(ai,  a2)@t0,  On(an,  an+i)@t0 
On(an,  bi)@to,  Clear(&2)@i0i  Clear(&3)@f0 

The  goal  configuration,  G,  is  formalized  as: 

Time@t,  Clear(ai)@f',  Qn(ai,  a2)@fi,  . . . ,  On(an,  an+i)@in 
Clear(&i)@Ti,  Clear(62)@T2,  On(a„,  b3)@T3 

Consider  a  move  action  that  transforms,  in  1  nanosecond,  a  configuration  of  the  form 


into  a  configuration  of  the  form 
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Formally,  this  move  action  is  axiomatized  as  a  multiset  rewriting  rule  in  the  form  of  a  scheme: 

Time@t ,  Clear(x)@fi,  On(:r,  y)@i2,  Clea.r(z)@t3  |  {ti<t,  t2<t,  t3<t} 

(7) 

— >  Time@t ,  Clear(x)@(f+1),  Clear(j/)@(f+l),  On(:E,  z)@(i+l) 

“At  the  present  moment  t,  if  x  and  z  are  still  available,  and  x  is  placed  on  top  of  y,  then  x  and  y  become 
available  at  the  next  moment  t +1,  and  x  will  be  placed  on  top  of  z  by  the  next  moment  t  + 1.  ” 

Here  x,  y ,  and  z  are  distinct,  x  is  some  a,,  y  is  either  b\,  or  b2,  or  b3,  or  a h,  z  is  either  b3,  or  b2, 
or  b3 ,  or  ctj  such  that  i<j. 

One  can  check  that  the  number  of  the  propositional  instances  (of  the  untimed  variables,  x,  y ,  z ) 
of  the  move  action  (7)  is  O(rf').  Thus  the  size  of  the  actual  input  to  the  planning/reachability 
problem  within  this  example  is  polynomial:  0(n3),  which  results  in  that  our  general  PSPACE 
decision  procedure  developed  for  the  actions  with  deterministic  effects  is  running  at  most  in  the 
polynomial  space  with  respect  to  n. 

As  compared  to  the  Timed  Automata  formalism  (AM04),  any  timed  automaton  representing 
the  system  in  this  example  has  at  least  2n  —  1  states.  Therefore,  given  such  an  automaton  as  the 
input,  the  general  reachability  decision  procedure  developed  for  timed  automata  will  run  at  least 
in  polynomial  space  but  polynomial  with  respect  to  2™. 

This  phenomena  occurs  because  we  consider  first-order  rules  in  our  system,  while  Timed 
Automata  is  given  as  a  set  of  its  states  and  transitions  /  arrows  between  the  states  extended  with  a 
finite  set  of  clocks  of  the  same  rate.  Thus,  when  we  try  to  instantiate  a  problem,  such  as  the  Timed 
Towers  of  Hanoi  shown  above,  using  Timed  Automata  there  is  an  explosion  on  the  number  of 
states. 

Finally,  we  point  to  an  important  difference  on  the  formalization  of  the  complexity  proofs,  in 
particular,  in  the  way  in  which  configuration  equivalence  is  established.  One  uses  time-regions 
to  establish  the  equivalence  relation  between  Timed  Automata  configurations.  These  are  highly 
multidimensional  structures  -  the  dimension  is  proportional  to  the  number  of  clocks  involved. 
Their  states  can  be  conceived  of  as  the  result  of  the  horizontal  time  cut,  since  all  ingredients  of 
a  state,  such  as  clock  values  etc,  are  being  taken  just  at  the  present  moment.  The  result  of  the 
transition  depends  only  upon  the  present  state  -  that  is,  given  the  present,  the  future  does  not 
depend  on  the  past. 

The  use  of  ((-configurations  to  establish  the  equivalence  of  configurations  is  a  one-dimensional 
structure:  a  sequence  of  atomic  events  (that  might  have  happened  at  different  moments)  ordered 
in  accordance  with  their  time  moments.  The  sequence  is  equipped  with  the  sequence  of  adjusted 
time  distances  between  the  events  adjacent  vertically  in  time.  As  such  we  are  able  to  model 
“history-sensitive”  transitions,  which  are  directly  dealing  not  only  with  the  present  moment  but 
with  the  history  of  the  corresponding  events  that  happened  in  the  past.  This  allows  us  to  model 
deadlines,  for  example. 

We  show  that  such  a  seemingly  straightforward  one-dimensional  structure  works  perfectly 
well  even  in  the  branching  case  of  actions  with  non-deterministic  effects.  Since  we  allow  any 
number  of  nonce  updates,  an  additional  twist  to  the  decidability  problem  is  that  we  have  to 
cope  with  a  potentially  infinite  number  of  nonces,  which  causes  a  potentially  infinite  number  of 
(5-configurations,  as  well. 
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8.  Conclusions  and  Future  Work 

This  paper  introduced  a  model  based  on  multiset  rewriting  that  can  be  used  for  specifying  policies 
and  systems  which  mention  time  explicitly.  We  have  shown  that  the  planning  problems  for 
balanced  systems  not  containing  branching  actions  are  PSPACE-complete  and  that  the  same 
problems  for  balanced  systems  possibly  containing  branching  actions  are  EXPTIME-complete. 
We  have  also  shown  that  the  restrictions  on  the  form  of  actions  and  time  constraint  taken  in  the 
definition  of  our  model,  TESTS,  are  necessary  to  obtain  the  decidability  of  the  reachability  and 
planning  problems. 

We  also  provided  the  semantics  of  TLSTSe s  as  a  linear  logic  with  definitions  theory.  Our 
adequacy  result  capitalized  on  the  completeness  of  the  focusing  strategy  for  this  logic. 

There  are  many  directions  which  we  intend  to  follow.  In  (NBS+12),  we  describe  how  an 
assistant  can  help  the  participants  of  clinical  investigations  to  reduce  mistakes  and  comply  with 
policies.  We  are  extending  our  current  implementation  into  a  small  scale  prototype  in  Maude  in 
order  to  collect  more  feedback  from  the  health  care  community.  One  main  challenge,  however,  is 
to  specify  procedures  in  a  modular  fashion.  One  might  need  to  specify  intermediate  languages 
that  are  closer  to  the  terminology  and  format  used  in  the  specification  of  CIs,  but  that  are  still 
precise  enough  to  translate  them  into  a  TLSTS.  We  hope  that  the  work  described  in  (DJLS1 T) 
may  help  us  achieve  this  goal. 

We  would  also  like  to  extend  our  model  to  include  dense  times.  This  would  allow  us  to  specify 
policies  for  which  real-times  are  important.  For  instance,  (APG+10)  describes  how  one  can  reduce 
human  errors  by  connecting  medical  devices  and  configuring  them  according  to  some  hospital 
policies. 

Another  interesting  problem  to  explore  is  checking  whether  a  given  plan,  for  example,  a  plan 
embedded  in  a  protocol,  complies  with  regulations  no  matter  how  it  is  executed.  Such  checks 
would  help  protocol  design  and  review,  and  FDA  audits  as  well  as  sponsors  to  monitor  CIs  and 
detect  mistakes  as  early  as  possible. 

Finally,  recently  we  have  formalized  Progressing  Collaborative  Systems  that  may  create  fresh 
values  (KBNS13),  inspired  by  security  protocols  and  administrative  and  business  processes. 
Such  systems  are  efficient,  i.e.  the  processes  are  always  advancing  and  are  completed  in  a 
bounded  number  of  transactions.  This  is  reflected  in  the  complexity  of  the  planning  problems 
with  progressing  behavior.  We  are  currently  looking  into  extending  the  notion  of  progressing  to 
systems  with  time.  We  are  also  investigating  sensible  notions  of  timed  intruder  models.  We  believe 
that  one  can  apply  the  machinery  introduced  in  this  paper  together  with  the  notion  of  Bounded 
Memory  Protocols  (KBNS14)  to  specify  sensible  security  protocols  that  mention  time. 
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